In information security, protecting structured data is pretty straightforward. It’s the unstructured data — emails, files, shared documents, messages sent via apps like Zendesk — that can be especially tricky to manage.
In the quest to protect that unwieldy data, many security leaders might find themselves constantly tinkering with DLP (data loss prevention) rules and fielding complaints from employees when excessive encryption starts to hinder collaboration.
There’s a time and a place for encryption, and at Virtru, we help our customers use it for the right data, in the right contexts, at the right time. Here are some tips for striking the right balance.
Unstructured data is any information that is not stored in a structured database. Whereas structured data is clearly labeled and categorized in defined rows and columns, unstructured data encompasses… basically everything else: files, documents, emails, images, messages, streaming video, and so forth.
By definition, unstructured data doesn’t follow a set format, pattern, or cadence. It can be anything, shared by anyone in your organization, with internal or external partners. And that can make it exceptionally tricky for security leaders to get a clear picture of exactly what’s being shared, when, and with whom.
When all of your employees have access to sensitive information, and they collaborate internally and externally all day every day, you suddenly have a big surface area of risk. Even well-intentioned employees make mistakes, and when those employees can access sensitive company data, the risk of a breach is high.
Data Loss Prevention (DLP) tools are valuable for security leaders, because they can detect sensitive data in motion and either stop it from leaving your organization, or, in the case of Virtru, automatically encrypt the data being shared, so that it remains under your control at all times.
An advantage of DLP is that it runs server-side, so you can set it up so that users don’t have to do anything different when they send an email: DLP can automatically catch sensitive data and make sure it doesn’t leave unprotected.
However, traditional DLP can be complex: Some security leaders know all too well the eternal struggle of dialing in your regex rules to strike just the right balance of security, without impeding the day-to-day operations of the business. When your DLP rules are too lax, you run the risk of a data breach. When DLP rules are too strict, you put unnecessary roadblocks in your team’s way — and you’ll probably hear a lot of complaining.
Regular Expressions (or regex) allow you to customize your DLP rules around certain keywords or data formats. Regex is ideal in environments where data-sharing is somewhat predictable: A healthcare practice, for example, likely has a limited range of content that is shared. That content probably includes health information, health records, and paperwork.
With regex rules, you can detect things like a file name with the word “record” or the format of a social security number or insurance policy number. In a healthcare scenario, you are probably less concerned about over-encryption: When HIPAA compliance is involved, you want to err on the side of caution, and more encryption is generally better than less.
Virtru offers customizable DLP rules to complement our client-side email and file encryption plugins, as well as for our server-side Data Protection Gateway. One of our customers, Health IQ, calls it “The Easy Button for DLP.” Additionally, Virtru's HIPAA DLP Rule Pack can be a strong start for organizations that require HIPAA compliance,
Conversely, if your organization has a wide variety of data-sharing scenarios — say, a global enterprise with teams ranging from customer support to HR, sales, and executives — DLP might not be so simple. In this case, it's helpful to have more layers to your DLP strategy.
You know that things like credit card numbers, PII, and passwords should never leave your organization unprotected — so automating encryption for messages containing these elements sets a solid foundation.
It can take a little time to dial in the right balance of automation for your particular organization. Depending on the information being shared, you may want to err on the side of caution — it's better to protect something that may not need it, rather than wishing you'd protected something that was sensitive.
It's important that your users have the ability to protect the sensitive information they share, when the need arises. Because, let's face it — it's common to have a business need to transmit sensitive information, both internally and externally. Client-side tools like Virtru for Gmail and Virtru for Outlook allow your users to treat sensitive information with care. Because Virtru sits inside their email app, it's easy to toggle on Virtru protection when they write or attach something that needs to be secured. This layer of protection gives you control over the information, even after it's been shared — you can revoke access any time, should the need arise.
Virtru's client-side tools include an option to warn the user when potentially sensitive information is detected — so if they try to send an email that appears to contain something you've designated as sensitive (e.g., a social security number, a password), Virtru will display a message that effectively says, “Are you sure you want to send this?” In the words of the customer,
With Virtru, you can make smarter data protection decisions. Our DLP rules help you and your team make an informed decision on whether data can and should leave the organization, and if it needs an additional layer of security to keep it under your control at all times. This helps you strike the right balance for DLP without under- or over-encrypting.
If you’re interested in leveraging Virtru's DLP for email, we make it easy: Book a demo with our team to learn more.
Contact us to learn more about our partnership opportunities.