Edward Snowden and Reality Winner grabbed headlines for leaking sensitive information from agencies, but they’re only the most visible examples of data theft. Agency leaders see these high-profile cases as evidence they must dedicate time and attention to insider threats. In a recent Symantec survey, 85 percent of federal IT managers say they are more focused on the insider threat than one year ago. In addition, 86 percent say they now run a formal insider threat prevention program, up from 55 percent in 2015.
Data loss prevention (DLP) technology addresses this problem. The same Symantec survey shows that agencies that have not lost information to an insider are twice as likely to have deployed DLP technology as those agencies that were victims. The DLP platform protects sensitive information from malicious or inadvertent disclosure. A carefully designed rollout plan can provide these security benefits with minimal disruption to agency business.
Here are three tips to ease the introduction of DLP systems.
1. Test DLP Tools in a 'Monitor-Only' Mode First
DLP platforms offer features that allow for the real-time interception of email and the ability to block file transfers. These actions are designed to obstruct, rather than just report, the loss of sensitive information.
However, this technology can also disrupt normal business activity if it is deployed without testing. IT teams should resist the temptation to immediately deploy a DLP with blocking rules and, instead, run it for a short period in monitor-only mode.
This provides the security team time to investigate traffic the system could block and gives the opportunity to fine-tune the system to avoid false alarms.
2. Make Sure Cloud Services Are Covered by DLP Solutions
Traditional DLP systems monitor outbound traffic on the network for sensitive information. This approach can avert many types of data loss, but it doesn’t work well for cloud services.
For example, if an agency is using cloud-based email or document storage, employees can disclose data with a few keystrokes inside the cloud service interface. That information never crosses the network, and therefore is never accessible to a DLP system.
Fortunately, many cloud service providers now offer DLP solutions, either as a feature of their existing product or as a third-party offering. These cloud-native solutions understand the service’s security settings and can detect public document shares, filter cloud-based email and take other defensive measures inside cloud services.
3. Label Sensitive Data Appropriately to Protect It
Agencies understand classification and labeling. However, DLP systems can detect sensitive information only when staff tell those applications the format in which the data appears.
IT leaders should make sure the DLP system is configured to spot the patterns common to sensitive information in an agency.
Right out of the box, DLP systems understand some elements related to personally identifiable information — such as Social Security numbers — but agencies need to configure systems to recognize the patterns of the most valuable data they use internally.