Data loss prevention (DLP) is going to become even more important now that BYOD policies are taking over. It is important to understand what steps need to be taken and what considerations need to be made in order to protect your organization and its brand. We have touched on this subject before but its importance continues to rise. describe the image
The average total cost for a data breach through 2013 was $5.4 million, which equates to about $188 per record. Those numbers rank the US #1 in average total cost and #2 in cost per record worldwide, according to the Ponemon Institute.
The loss of data, or personal identifying information (PII) has far-reaching effects. Once a breach has occurred, your security and privacy policies will face intense scrutiny from the press, your customers, and auditors. This will surely cause damage to your brand and cause your customers to lose faith in your business. According to Ponemon, the largest contributor to the average total cost for a breach figure is lost business. This accounts for over half (56%!) of that number.
Organizations in retail, healthcare, and financial also have a laundry list of compliances that must be met with in regard to PII (SOX, HIPAA and Gramm-Leach-Bliley to name a few). Lack of compliance before, during, or after a breach will also result in hefty fines and ongoing scrutiny of the aforementioned policies.
Of the DLP basics that I have researched, all of them mention having a multi-layered approach. Within the layers they mention on or more of the following:
-Understanding of industry and government regulations: This means adhering to precedents set by HIPAA, SOX, PCI DSS, Gramm-Leach-Bliley and others.
-Assigning responsibility: We have mentioned this before and it remains true across the board. Everyone in your organization needs to understand their role in DLP, and who is ultimately held responsible. In most cases that would be the CIO, CSO, CISO, etc.
-Policies that identify sensitive data and remediation actions: If an internal user is attempting to move or send sensitive data there needs to be actions in place to block, encrypt, or authorize such a transaction. All of these transactions must be logged and reviewed as part of the process.
-User education: All users that have access to sensitive data need to be up to speed on the policies put into place by the organization and understand their importance. While they will not ultimately be held responsible, there most certainly be repercussions.
However, the one aspect that I rarely see mentioned when talking about DLP is data at rest and end of life IT asset retirement. It is important to control and monitor data while it is on network, where does all of that data go once the devices it is on are retired?
Having a comprehensive destruction/retirement plan for data at rest and for It assets is very important. The costs for a data breach are not prejudice. It doesn’t matter if the data was stolen by hackers, lost by an employee, or stolen, the costs will be the same. Why spend most of your budget on network security when you aren’t protecting the data at the end of a devices life?
Consider this, an onsite data destruction and IT asset vendor can potentially save you millions just by wiping your drives onsite and properly removing, and disposing your retired IT assets. They should also have the ability to provide your organization with full indemnification from a data breach at the end-of-life point. Not only does this provide you piece of mind but it could lead to reduced insurance and liability costs, think of it like a safe driving reward that car insurance companies offer.
Do not overlook this aspect of your assets life cycle. Just because those assets are of no use to the organization anymore does not mean they cannot cause your organization millions in fines, fees, and lost business. Contact us today for a risk evaluation by clicking below.