ITBusiness.ca

Four ways SMBs can prevent data loss without breaking the bank

Protecting essential information such as intellectual property and customer data is critical for businesses of all sizes and when one considers the financial and legal ramifications resulting from a data breach, it’s clear that even smaller organizations can’t afford to forgo data loss prevention (DLP) solutions.

But some critics erroneously claim that DLP solutions are too difficult or expensive for small and medium-sized businesses (SMBs). Much of the confusion and expense in deploying DLP is the result of a flawed approach.

The key to a successful implementation of a DLP solution for an SMB is to do it right the first time. This article examines the steps to achieving a successful DLP solution implementation for small and medium-sized businesses.

Many SMBs deal with the same regulatory compliance demands as large enterprises such as the Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI) standards,  Sarbanes-Oxley compliance, state laws governing the protection of individuals’ personally identifiable information (PII) – and the list gets longer each year.

Couple these mounting compliance requirements with the fact that employees are increasingly mobile; connecting to the network via PDAs and Blackberry’s; carrying laptops to the local coffee shop; and using unsecured wireless Internet connections. Employees even copy company data to USB drives and iTouches, which can easily be lost or stolen, to review while off-site. All of these common business practices can increase the risk of a data breach.

Though small to midsize organizations may think they lack the financial or technology resources to implement a full-scale DLP rollout, deploying an effective DLP solution to protect essential information at a manageable cost of ownership can be easy if they follow the following four key steps:

Four Steps for Data Loss Prevention at Midsize Organizations

Step 1: Determine how important data loss prevention is in comparison to other security concerns by asking the following questions: 

These are just a few questions that should be asked to understand how important data loss is to an organization.

Step 2: Define what data is deemed sensitive

Once data protection is deemed a priority, the second step is to define what exactly constitutes sensitive data for the business. The definition of sensitive information can vary greatly across industries and organizations.

It can include customer lists, company financial data, trade secrets, marketing plans, employees’ personal information and more. Protecting information will not be the same for a local credit union as at a mid-size retail chain.

Therefore, it’s critical that organizations review all functional areas including legal, finance, human resources, marketing and others to help identify sensitive information. 

Step 3: Determine where the primary point of data control should be: at the endpoint, the network or data discovery – or a combination.

Now comes the time to consider what type of DLP solution is right for the organization. There are various offerings available today, promoting many different approaches to data protection. One way to narrow the list is to determine where the primary point of data control should be: at the endpoint, the network or data discovery – or a combination.

For many businesses, the appeal of endpoint technologies is the ability to protect intellectual property from theft or unauthorized dissemination – such as preventing someone from downloading the customer list onto a USB drive and walking out the front door.

In contrast, the value of network and discovery solutions lie in monitoring how information is used within the organization so management can identify and correct faulty business processes, prevent accidental disclosures of sensitive data, and provide reports demonstrating compliance during audits.

A network-based approach is the most common starting point and often the easiest to integrate with existing network security technologies. Many midsize businesses choose to begin with just data discovery to understand where their sensitive data exists and determine their level of risk.     

Step 4: Select the right DLP solution

Once it’s decided  whether to begin on the network, endpoints or data discovery, the final step requires researching and evaluating competing solutions. Take advantage of the readily available research in published analyst reports to identify viable vendors and understand product capabilities.

Here are key criteria to consider when evaluating technologies:

Ultimately, every organization – irrespective of size – must protect the information that is essential to its business.

A single data breach can have lasting repercussions. The good news is even midsize organizations can affordably mitigate risk of data breach with the right combination of data protection policies and data loss prevention technology.

David Meizlik and Stephen Brunetto are product managers for Data Security Solutions at Websense | DLP – Blog www.ondlp.com

Exit mobile version