"One might have the best of dlp solutions but the success factor depends on early buy-in from the management"

Building an effective DLP program

Preamble
Thanks to BYOD, Enterprises are becoming increasingly mobile with users accessing corporate data from anywhere at any time and on any device. This offers Enterprises significant productivity benefits but also increases the risk of data loss that could prove to be catastrophic. To mitigate this risk, an Enterprise needs to have a practical Data Loss Prevention (DLP) strategy in place.

Following are the key elements of implementing a multi-layer DLP strategy
1. Content monitoring at data exit points to prevent data loss from portable storage devices, emails, etc.
2. Encrypting data both at rest as well as in transit to ensure confidentiality in case of loss.
3. End-user policy compliance.
4. Management buy-in
5. End-user education

Content monitoring at data exit points
Within the organization’s IT infrastructure, data can leave through a number of exit points. Organizations should prioritize data loss risk through any/all exit points and accordingly identify a DLP solution that would help in mitigating the risks. It is advisable that one looks at a comprehensive DLP solution rather than individual DLP solutions.

Encryption
With increased device mobility, chances of misplacing/loosing devices are high. The data contained in the device could fall into wrong hands which could be mitigated with the right data encryption solutions in place.

End-user policy compliance
Controlling what end users can do on their computers is one of the easiest and most effective ways to reduce the risk of data loss. Following are three main areas to focus on:
• Storage devices and network interfaces: Manage the use of connected devices (for example: thumb drives, external hard disks and smartphones).
• Applications: Manage the use of applications (for example: file sharing, online storage, remote access, IM clients, web browsers).
• Web filtering: Filter websites that are accessible to users (for example: webbased email, hosted IM.)

Management buy-in
One might have the best of DLP solutions but the success factor depends on early buy-in from the management. A one slider explaining the risk frame-work would help in getting the management buy-in.

End-user Education and Training
User training should be a critical component of one’s DLP strategy. Before one gets into the end-user education it is important that guidelines are prepared in the form of acceptable use policies. User training objective should be two-fold: to manage concerns and more importantly, to ensure that all employees are aware of the new policies and are active participants in helping the organization protect its data.

Whether in-person or online, user training may help to reduce suspicion or negative reactions- perhaps as part of more general training about data security. Once users are aware of what is expected of them, you can hold them accountable should a chain of investigation prove them at fault for poor security practices.