DLP useless when companies fail to classify data

By Ron Condon, UK Bureau Chief 29 Oct 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

A poll of 250 companies by security firm Integralis AG probed attitudes to information asset management, and found that only 38 per cent – after being given a series of choices – defined part of information asset management as "ensuring that users are only able to access the bare minimum of information they are authorized to see and use." Most of the professionals surveyed felt their role was merely to structure information storage correctly and ensure smooth transfer of data.

The survey confirmed what many consultants at Integralis had suspected, as managing director Graham Jones explains: "We had been approached by several vendors of DLP (data leakage prevention) products, but when I mentioned this to my consultants, they burst out laughing. 'What are companies going to protect?' they asked. [DLP products] can protect data with credit card numbers in it or anything that is tagged as confidential, but they said that most companies don't have any policy for managing their information assets."

The impression was backed up by other experts. Jamie Cowper, European head of marketing for encryption company PGP Corp., said: "Parts of government have done a good job on data classification, but most companies have not done any at all."

He said some companies were now tackling the problem by enforcing encryption in certain applications, or by file type; for instance, a spreadsheet could always be encrypted as a matter of policy. In other cases, Cowper said encryption was turned on automatically for anything generated by an individual user or a department.

But he admitted that most encryption purchases are prompted by events, such as a high-profile data loss, and are often bought by a department for its own needs, a decision which can lead to companies having several encryption systems and keys to manage.

"Encryption is the easy part, but you need to be sure you can decrypt it, too. Good key management and policies are essential," added Cowper. "You must have centralised management of the keys – if you need to keep information for many years, you may need to re-encrypt and move to different media types."

Alaa Owaineh, a security analyst at research firm Datamonitor plc, said most companies tend not to get round to classifying data, or implementing any kind of role-based access control. "The effort involved is huge, and the few deployments of role-based access control have not really achieved very much," he said. "There is no established best practice, and nobody really knows how to do it."

He described DLP as a "kneejerk reaction" to a problem that had not been properly analysed.

The consequences of failing to classify data, and control who accesses it, are magnified by the proliferation of mobile devices. A recent survey by database technology provider Sybase Inc. found that 80 per cent of business mobile devices contain potentially sensitive business information, but only 26 per cent of companies deployed any form of encryption.

"In most cases, organisations leave it to users to undertake security tasks on their mobile data," said Mike Oliver, a marketing director for Sybase. "You can't leave it to users to ensure security, it's not their job."

* A separate survey by nCipher (recently acquired by Thales Group) found that even when encryption is implemented, many organisations fail to encrypt back-up tapes. Bryta Schulz, VP marketing for Thales Information Systems Security, said tapes were often left unencrypted deliberately, so that if encryption keys were lost, companies could at least access the backups.

Tags: Data Protection Solutions and Strategy,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies PCI-compliant POS: Retail chain nears PCI compliance in the UK Data security in financial services, IT security jobs in UK on the rise Security Policies and User Awareness Risk management in information technology Prevent data leakage with secure media reuse policies Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Protection Act 1998  (SearchStorageUK.com) Information Commissioner's Office (ICO)  (SearchStorageUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary