Preventing Data Leakage

Information is the lifeblood of any modern organization. So how can you ensure it flows freely while avoiding embarrassing and damaging data loss?

Leaders and managers are constantly looking for ways to use knowledge to gain a competitive advantage in the information age. Yet while encouraging the free movement of information, they should also be on constant guard against data being lost or stolen. Remember, just as organizations vigilantly protect their physical assets, they should also adopt a holistic approach to keeping data safe.

Step 1: create a framework to prevent leaks

Adopting such a framework is part of a wider change in an organization's culture, where information is acknowledged to be the vital strategic asset it emphatically is. To address data leakage, you should therefore consider the following:

People: Identify when and where people come into contact with information as it flows around your organization. Then you'll be able highlight the need for security at those connection points. It's also vital to confirm who 'owns' the data and make them fully accountable for, and aware of, their responsibilities.

Processes: Understand the times and points where data is most likely to be leaked. It could be during a system upgrade or transaction, or when an employee leaves. Look at all the controls put in place to protect data and, in addition, set up a procedure to deal with any violations. data You should understand in detail the end-to-end flow of information, from the point at which it enters the organization to where it's stored, processed, transferred and ultimately destroyed. This can help you secure the points at which employees can access data.

Physical infrastructure: Make use of appropriate technology to protect your information. You should also restrict physical access to equipment, prevent eavesdropping and safeguard media such as laptops and memory sticks.

Step 2: Put a protective blanket around your organization

Any leakage prevention system should be flexible enough to cope with structural changes, such as mergers, acquisitions and disposals. It should also be able to adapt to higher levels of security prompted by marketplace threats or new legislation.

Know what you own: By identifying all the information within your organization - and where it's located - you can build a comprehensive inventory. You should take particular care of your most valuable data, confirming who can access it and where you'll permit it to be transferred.

Put a value on information: Although such a process cannot be completely precise, it is vital to estimate the real value of data - and therefore the cost to your organization if it is compromised.

Control access: Whether it's physical hardware or information systems, it is essential that only authorized individuals are permitted access to it. Make sure you spot any weak points and tighten them up.

Rules, rules, rules: There should be a set of clear and unambiguous rules and procedures to prevent activities that pose a risk to your information. They should be consistent across the organization, have the full support of management and be clearly communicated through awareness programs.

Monitoring and responding to incidents: Use a system that monitors and instantly flags up attempted or actual violations. Once an incident has taken place, there should be a procedure for responding quickly to limit any damage. Ensure lessons are learned and used to continually improve incident management procedures.

Step 3: Aim for continuous improvement

The expectations of any program should reflect, realistically, the existing and aspired level of security. We believe there are five levels to aspire to, level 1 being the most basic:

Level 1 - Informal: You know you're not protecting information adequately and are doing little about it. Any awareness of leakage has probably been caused by specific incidents of data loss or unauthorized access.

Level 2 - Planned and tracked: At this level, you're able to address some of your data leakage issues, but not until some time after they have occurred. Critically, you're unable to address the root causes of problems or, indeed, predict when they may occur in the future. When issues do arise, you will often need to call for external help.

Level 3 - Well-defined: Your organization can stop leaks before they occur by addressing the root cause of any potential problem. And as you continually monitor data quality, you can quickly resolve incidents

Level 4 - Controlled: With a mature set of information management practices, you proactively identify and deal with any issues. What's more, leakage prevention has become an integral part of your technology strategy.

Level 5 - Continuous Improvement: At this highest level, the management of information is treated as a core competency influencing all parts of the organization. Any data leakage is resolved at source, and the organization is always looking for ways to refine and improve its security systems.

As with any major change program, preventing data leaks calls for strong, high-profile leadership from the top, a mandate clearly communicated to all staff and full commitment across the organization. Identifying your most critical information assets is a fundamental first step. Then only a combination of measures covering business processes, technology and people can allow for information to be adequately managed and protected.