Do you know where your data is?
Within many organizations, most confidential data is stored in an Enterprise Resource Planning (ERP) system such as SalesForce, WorkDay, or SAP. Since these systems have solid technical and security controls built-in, executives often have a false sense of security, and they trust that their digital assets, confidential data, and intellectual property are all properly protected.
“Trouble occurs because of weaknesses in policies, procedures and processes — not because of flawed technology”
From a technical perspective, this might be true: ERPs generally follow InfoSec best practices to keep assets well-protected and properly secured. But on a daily basis, staff members unwittingly threaten the confidentiality of their employer’s digital assets. Weak information governance mixed with unintentionally creative workarounds lead to an environment where confidential data escapes the tight controls of the ERP system and as a result, becomes much more vulnerable to exfiltration. Trouble occurs because of weaknesses in policies, procedures, and processes — not because of flawed technology.
For instance, social security numbers, credit card information, account numbers, and financial transactions are all usually well-protected and properly stored within an ERP. But once someone exports such data to a spreadsheet, it suddenly becomes an entirely different situation.
Exported data is often stored in poorly-protected ways — on unencrypted laptops and other mobile devices, emailed to other people, saved to a personal Dropbox account, or posted to a widely-accessible shared drive. Often, staff place files in these types of locations with good intentions; they’re just looking for a temporary place to store files they’re actively using. But the reality is that users are notoriously bad at later deleting these supposedly-ephemeral files.
That’s where the breaches occur: in the spaces where the data has been exported into a spreadsheet or PDF and then is improperly stored, often for extended periods of time before someone takes notice.
Proactive Data Loss Prevention
Performing a data loss prevention (DLP) inventory is a critical first step towards ensuring that your organization’s’ data — no matter where it is stored — is properly protected. The result of a DLP inventory is a report which describes the types of confidential data elements in use within an organization, identifies the system of record and data owner for each type of record, and records the locations of the files and systems which contain — or may contain — these data elements. A DLP inventory is an extremely valuable way to shed light on where your company has accessible confidential data.
In order to identify examples of weak InfoSec practices, organizations should carry out data loss prevention (DLP) inventories frequently and regularly. But more than simply carrying out such inventories, in order to make an impact, organizations need to act on the results.
Follow-up is where most organizations fall short — instead of addressing issues that surface during a DLP inventory, such results end up captured in a report and then languish on an IT staff member’s shelf.
DLP Inventories: Automation vs. the Human Touch?
DLP inventories can happen in multiple ways: via an automated tool, carried out by a human, or, ideally, using a combination of people and technology.
Automated scans, using one of the many open source or commercial tools available, accelerate the process and make it easier to carry out inventories on a regular basis by letting machines do the heavy lifting. But the outputs from automated scans still need to be reviewed since they are prone to false positives and require some interpretation and fine-tuning to improve methodology for future iterations.
“Lack of strong information governance plus creative workarounds = vulnerable confidential data”
For instance, social security numbers often use a common format — 123-45-6789 — but many other numeric identifiers — inventory numbers, serial numbers, software license keys — often follow the same pattern. What could potentially look like a SSN to a system could actually be an employee identification number, patient ID, or even a random match to a binary blob in an image file. An automated tool might identify a photo from the company’s summer picnic as containing employee SSNs.
If such items consistently turn up in DLP inventories, it can make the review process unwieldy, leading to report fatigue. The review team might not notice actual red-flag items in a report since the actionable items are buried in a sea of false positives. Or, the team may not spend the time to look closely, since constant false positives have caused them to stop taking the reports seriously.
Alternatively, DLP inventories can be carried out by humans. For instance, having a single staff member or a small team regularly meet with representatives of departments to conduct a manual review can be extremely effective. In this method, the InfoSec representative leads a conversation with members of the department, talks about the sorts of data exports that we’re looking for, and then jointly, the group looks at spaces such as shared drives to try to identify any documents (reports, drafts, spreadsheets, saved copies of emails, etc.) that contain confidential information and should be removed.
Even though it is a time-consuming process, having a knowledgeable member of the InfoSec team in the room demonstrates the organization’s commitment to security, provides an opportunity for Q&A dialogue, and helps build a trusting relationship between staff members and the InfoSec program.
The best option is to use a combination of the two techniques: run scans using automated tools on a frequent, regular basis, and follow-up with less-frequent face-to-face visits. Facilitating such conversations with staff complements the automated scans, reiterates the importance of InfoSec, and can lead to behavior changes to avoid replicating the same problems again in the future.
FireOak Strategies Recommended Practices for Data Loss Prevention
- Run DLP inventory scans at least once a quarter.
- Have a strong Information Governance policy in place, identifying who is allowed to export what types of data, for what reasons, and under what circumstances.
- Have strong protections in place around how these types of exported files may be stored, shared, and used — for instance, can these files be stored on the hard drive of a laptop? Downloaded to a home computer? Stored on an iPad?
- Make sure your help desk staff know what to do when a device containing confidential data is reported lost or stolen.
In addition, it is critical that organizations have clearly-identified roles, responsibilities, processes, and procedures in place around the data loss protection scans themselves:
- Who is responsible for carrying out the DLP inventory scans?
- Who is looking at reports?
- What processes are in place for taking action on results?
- Who assigns remediation tasks?
- Who takes care of follow-up?
- How will behaviors be changed as a result of improperly-stored confidential data that is uncovered as a result of a DLP scan?
Completing remediation is the hard part and is the area where most organizations fail. But conducting an inventory is only as useful as what happens after the scan and report are finished.
If your organization is serious about information security, if it has incorporated InfoSec into its culture and values, carrying out a DLP inventory should be an important component of your overall InfoSec strategy.
Read related FireOak Strategies Information Security Posts: