Corporations invest huge amounts of money and effort into safeguarding trade secrets and other pieces of intellectual property. They screen and interview potential employees carefully, draw up strict NDAs to protect data and create elaborate and arcane rules to control access.
But often, they neglect the most important control — their data loss protection program. Many companies treat DLP as a set-and-forget tool and nothing more. This approach isn’t completely useless — a properly-configured data loss protection tool can catch some confidential data, like Social Security numbers.
How Does Data Loss Protection Work?
Data loss protection software looks for patterns, and uses those patterns to trigger rules Virtru DLP can automatically:
These actions prevent costly mistakes, provide retraining and allow managers to identify workers in need of extra help.
Data loss protection software is great at recognizing data that follows predictable patterns, and triggering rules to mitigate risks that data poses. For example, all email addresses all follow the same pattern: [name] @ [domain]. Therefore, when data loss protection software sees something like firstname.lastname@example.org, it can recognize that it’s looking at an email address.
Virtru DLP can be configured to detect an entire domain or a particular email address. For example, you can set rules that strip attachments from emails sent outside your organization’s domain in order to lessen the chance of an IP breach, or to always encrypt emails sent to a certain address.
Similarly, data loss protection can look at a code like 123-45-6789 and recognize that it’s probably a Social Security number. HIPAA email rules and other DLP compliance rules often use these kinds of patterns to stop workers from improperly sharing personal information.
Virtru Data Loss Protection can also recognize how the sender is using the messaging protocol — for example, whether the sender has enabled email encryption or added attachments. Data loss protection rules can look at just the To, CC or BCC field, or look at multiple fields with a particular rule. This allows you to supervise workers by BCC’ing an administrator on messages that contain potentially sensitive information.
Organizations can even use data loss protection solutions to look for vocabulary that indicates risky employee behavior. For example, some financial institutions scan emails for phrases like “a sure bet,” “didn’t authorize the sale” or “report the matter to the SEC” that might indicate misconduct, customer anger or legal threats. Data loss protection for IP protection might focus on words like “confidential,” “account” or industry-specific words.
Limits of Traditional Data Loss Protection Solutions
Although data loss protection software can recognize patterns, it can’t automatically recognize sensitive information as such. A sender could conceivably compromise enterprise data security — for example, by discussing a classified project with an unauthorized client — without using any of the words or patterns the software is looking for.
Administrative errors and simple lack of experience can also factor in. Admins can leave out or misconfigure vital rules, creating blind spots in the data loss protection software. Paradoxically, admins can sometimes undermine DLP software by trying to do too much at once. It the admin tries to address every single possible risk, they can end up generating false positives.
Over time, users can get used to clicking through warning messages. Like The Boy Who Cried Wolf, users won’t believe the warnings from the DLP software anymore. When there really is an email that breaches internal data loss protection policy, they’ll just keep clicking.
Overzealous data loss protection can also be a problem for supervisors. If you’re always being alerted about warning messages, or BCC’d on suspicious emails by the data loss protection program, you may start to miss the real insider threats.
However, the biggest limit of traditional data loss protection solutions is its inability to control the data once it’s outside of your organization.
Complete Data Loss Protection — Security Beyond Your Inbox
Most data loss protection solutions stop when you hit “send.” Recipients can respond to a sensitive message with an unencrypted email, putting trade secrets or other important data at risk. They can also forward it to an unauthorized party, alter it, download it and leave it sitting somewhere on a memory stick — in short, there are probably a million different risks that traditional DLP software can’t address.
Historically, organizations have been forced to do the best they can with the tools they have. The organization drafts a DLP security policy, backs it up with software and — at least in theory — trains employees to not breach security. This is often reinforced by a legal strategy, using tools like business associate agreements, customer notifications and disclaimers.
Organizations often try to address the risk on the recipient’s end with secure client portals, but the results are rarely completely successful. Customers usually won’t touch them, and senders often forget to switch over from email before sending a sensitive message, leaving it unencrypted.
Virtru Pro provides a complete set of tools that transcend these traditional limits, for a complete data loss protection solution. The Trusted Data Format (TDF) allows you to control access to your data, wherever it goes, using a set of access policies that travel with your encrypted email. When the recipient tries to open the email, Virtru confirms their identity and checks whether they’re allowed to decrypt it before providing the key. This allows the sender to rescind access at any time (even after the recipient has read the email), set time limits or even disable email forwarding. They never lose the ability to control the email.
Virtru also provides read receipts — a complete record of who has read your secure emails and attachments. This aids remediation if confidential information is shared inappropriately. For example, if you accidentally send a classified internal document to the wrong recipient but recall the email before they open it, read receipts will prove that it hasn’t been compromised, averting mandatory notification laws. Combined with effective policies and thorough training, these tools can lead to a highly effective data loss protection program.
Creating a Data Loss Protection Policy That Protects Trade Secrets
1. Threat Modeling
To create a successful data loss protection program, you need to understand what dangers you’re trying to avert. Brainstorm scenarios in which a hacker, insider or business partner could compromise trade secrets. Then, evaluate each scenario for its likelihood, and the severity of the impact.
You may want to rate both these factors on a scale from 1 to 10, then multiply the results to calculate total risk — this can help you prioritize the most important remediation tasks. However, you should also account for qualitative factors. Understand what you would lose, who would get it and what the consequences would be.
Don’t forget risks posed by partners, contractors and others who are not under your direct control. What would happen if a client’s email was hacked, or a cyber-criminal infiltrated a partner’s network? The more thoroughly you explore risk scenarios, the more effectively you’ll be able to tailor your data loss protection policy.
In many cases, it can be helpful to take an iterative approach to data loss protection. For example, if you’re going through a merger, you might want to focus on the people and data involved. You’ll be able to refine your strategy, and expand it in stages.
2. Data Classification and Tagging
You’ll need to inventory all of your data (or at least all of the data involved in the current stage). Identify the type of data, who has access to it, where it is stored, and what risks (if any) it poses. Don’t forget to look for secondary copies.
For example, if your recipients are emailing sensitive files back and forth to collaborate internally or to share them with clients, there may be multiple copies. The same goes if they’re using file sharing apps like Dropbox or Google Drive along with non-cloud tools, you’ll have multiple copies to account for. Similarly, if you have loose technology policy enforcement or BYOD, workers may have 3rd party apps that you’re unaware of.
3. Building Security Policies
Now, create rules to mitigate the risks you’ve identified. Start with the data. Who should have access to it, what should they be able to do with it, and how should it be protected?
Use the principle of least privilege as your guide. Each worker should ideally have access to enough data to do their job and no more. Certain trade secrets, such as merger plans or new designs, should be restricted to a few key individuals. Other secrets, such as business practices, may have to be shared with a larger pool. Creating several levels of access will reduce the risk of breach — both from insider threats and outside actors.
Next, create data loss protection policies for workers. Under what circumstances should they be allowed to access trade secrets? Who should they share it with, and what measures (for example, encryption) should be used to protect it? Don’t forget partners and clients. What data protection practices are necessary for them? BYOD security is also an important consideration, as mobile devices can pose additional risks.
4. Adopting Technology to Enforce Data Loss Protection
Technology is where many data loss protection strategies fail. It’s not enough for your email and file encryption tools to be strong — they also need to enforce data loss protection policy, and be user-friendly enough for your workers, partners and clients to use.
For most companies, the best secure email service should be able to encrypt communication with any recipient — even those who have never used encryption. Recipients should be able to receive encrypted emails with minimal effort or technical know-how. Unfortunately, nearly all encryption services require both parties to install the same software before they can communicate securely, and many require users to configure settings, and create and manage their own keys — a complex and potentially risky process.
Virtru secure email is the only email encryption app that allows anyone with an email address to receive emails, download attachments, and securely respond with their own emails and attachments without any installation. Virtru encrypts with a single click, and handles encryption key management and other tasks for the user.
Virtru Pro comes with enhanced email functionality, including the access control features discussed above, and Virtru DLP. Virtru Pro also includes the ability to use PDF watermarks, which aids in data loss protection policy enforcement. When you activate the watermark function, the PDF is marked with the email address of the recipient, allowing you to identify the guilty party in the event of a leak.
Additionally, the watermarked PDF can only be read in the Virtru Secure Reader — not downloaded locally — so they can’t be saved to disk or edited to remove the watermark. PDF watermarking also protects documents by preventing the recipient of a forwarded PDF from forwarding it a second time, limiting the reach of the document. Users also have the option of disabling PDF forwarding entirely, as with any email.
5. Training and supervision
Your data loss protection program is only as good as your institutional buy-in and follow-through. It’s crucial everyone, from entry-level workers to the CEO, is trained regularly and consistently in data loss protection best practices.
You also need to elicit feedback and take it seriously. You’ll probably have to tweak data loss protection rules to eliminate false positives, and you may have to draft new rules to mitigate risks you haven’t considered. Change management can be another challenge. Workers will leave the organization, and others will be assigned new roles where they have heightened access to trade secrets. You need to make sure to address these changes on an ongoing basis.
Data Loss Protection is More Than a Security Fence
There are plenty of DLP tools that can spot a credit card number, but safeguarding trade secrets is a bigger challenge. True data loss protection solutions require a strategic combination of good policy, innovative software and thorough training. Use these resources to help you get started in developing your DLP program: