Brand Concerns Influence DLP Adoption
By Tabrez Khan
Mumbai, Jul 31, 2008

Data Loss Prevention (DLP) has been a buzzword for companies, ever since five of the companies reported biggest instances of data breach in business history. Indian enterprises are adopting DLP more for protecting their brand image and IP than for regulatory compliance concerns that weigh heavily on their western counterparts.

"Indian enterprises are more focused on data protection than traditional perimeter security, when compared with their western counterparts," said Sivarama Krishnan, executive director of consulting firm Pricewaterhouse Coopers. While globally there are many regulatory clauses like SOX, HIPAA etc that force companies to adopt DLP, in the Indian context reasons for adoption are more due to competitive pressures.

"Brand image or reputation is a key influencer as companies want to convey to their customers that they care for their data. Secondly companies, especially in the pharma and BFSI sectors want to protect their intellectual property from rivals. Compliance issues really are more marginal influencers for Indian enterprises so far as DLP adoption is concerned," he said.

According to a Ponemon Institute study in the US, the average cost of a single data breach for companies is more than $6.3 million. While, the comparable figure for the Indian market is not available, data loss is even more of a problem for Indian enterprises, Krishnan said.

In an open business environment, where collaboration is a key business enabler, it may be unwise to clamp down on data sharing; but sensitive data protection is equally the key. According to Steve Roop, senior director, DLP of Symantec, a DLP solution is meant to answer three key questions, "Do you know where your sensitive data is stored, in what way employees are using it, and how can an organization best protect its critical data?"

The biggest reason for the cause of data loss or leakage is a Broken Business Processes (BBP). A lot of security measures are installed on the network and the endpoint at the systems level.But sharing of data with third parties through CDs, thumb drives or through email etc may negate all that. So the business processes have essentially been broken. "Almost 50% or half of data loss can be attributed to BBP, while 46% is inadvertent data loss due to employee carelessness such as data loss due to e-mail transfers. Less than four percent of data loss is truly malicious," said he.

In the end, Symantec enlists three best practices that enterprises can follow to prevent DLP.

Pick Five things that you ought to protect the most: Data Loss Prevention is really about prioritizing what information is most critical to you. Keep it focused, and pick five things that are top priority.

Don't find more problems in a week than you can fix in a week!: At the start of any DLP implementation, there may be a 1000 data loss incidents, but CIOs need to focus on a few most crucial ones that could have the most bearing on business.

"Trying to deal with a thousand events may bog you down, so you ought to be extremely focused," said Roop.

Change employee behavior: Involve employees and business partners in DLP and try to change their behavior on data usage. This will also help identify which department is involved in the most risky data loss behavior and corrective measures can be taken.


Related Links:

Data Integrity - A Must for Enterprises