Companies that need to comply with privacy laws like HIPAA, PCI, GLBA, etc. need to worry about data loss prevention tools.
“Data loss prevention” typically refers to preventing employees from deliberately stealing or accidentally leaking sensitive data.
The typical stack to data loss prevention tools include:
Software vendors sell a suite of products that can accomplish these goals — simply search for “data loss prevention magic quadrant″ and you’ll see leading vendors like Symantec, McAfee, RSA, and more.
But what if these products aren’t in the budget? Are you out of luck, and at risk of a security breach?
Consider these alternatives as a way to implement data loss prevention on the cheap:
A network admin colleague highly recommends a product called IntelliAdmin. IntelliAdmin lets you remotely change the registry of Windows computers you administer, and block the use of USB flash drives.
Of course, you’ll have people who have a legitimate reason to use USB devices, but you can manage this through an exception process. The more expensive products give you better options for managing USB devices, such as restricting a single USB drive so it only works with a single computer. But since we’re aiming for cheap, this inexpensive product gives you a perfectly functional On/Off switch.
The aforementioned Intelliadmin can also restrict users so they can’t burn files to CD and DVD drives. Again, locking down all CD and DVD drive burning isn’t the most elegant solution, but it works, and it’s cheap.
Microsoft makes it easy to start logging the name, user, time, size, and number of pages of every file that’s printed. You could turn it on right now if you wanted to do so.
What’s not free is actually doing something with that data. To make meaning out of the data, you need to be collecting these logs and using a SIEM tool (e.g., Splunk, SolarWind, ArcSight) to review the logs and to watch for anomalies. Feel free to call us at 888-646-1616 if you need help setting up your SIEM tool.
Everyone’s been getting into the DLP game. Microsoft just added DLP functionality to their Microsoft365 suite as a free feature. McAfee offers it as an add-on service to customers of the former MXLogic company that they acquired.
It’s a great idea to have automated monitoring in place for your outbound email, mainly so you can have that extra level of assurance that no one is accidentally sending around files chock full of social security numbers, bank account numbers, or medical diagnoses.
Call your email provider and see what kind of add-ons they have for monitoring outbound email for sensitive data. You’ll probably be surprised by how inexpensive it’s become.
Most companies take the approach of using a web filtering service (like WebSense) to block the use of websites that are used for personal email, file sharing, or generally inappropriate activity. In our experience, these tools punish the good people and do remarkably little to actually stop someone who really wants to steal data.
Another approach which is both more humane and less expensive is “trust but verify.” Assuming that your company is using a proxy server or DNS server that has logging turned on, you already have a rich data source that shows you exactly what sites your employees are visiting. Collect these logs into your SIEM tool, and then review them.
Before you take the draconian step of locking down sites, you first want to understand what sites employees are using. Then, have a conversation and write policies about what is and isn’t appropriate, and confront people who violate the policy. It’s common knowledge amongst the security community that the perception of detection can be even more effective than outright blocking.
Want to protect your business from hackers and insiders? Want to make sure you're doing the right things for HIPAA compliance? Talk with an Adelia Risk consultant to learn more.
Have questions or feedback? Please share them in the comments below!
Like this article? Share it!
Only Microsoft365 E3 and E5 suite provide DLP. The Proplus does not