BETTER TOGETHER : ENHANCING ENTERPRISE SECURITY WITH INFORMATION CLASSIFICATION AND DLP
In a world full of innovations that include virtualization, cryptocurrency, IoT, cloud hosting services, automated vehicles, and artificial intelligence, sustainable business competitiveness is not negotiable. The American economist Milton Friedman once said, “the business of business is business” and this remains a golden rule, to be followed for those, who anticipate, accept and shape new challenges and advancements. The more dynamic the transformation, the more cautious the process of changes should be because the window of opportunity for change can close extremely rapidly.
Efficiency is the ability to be adaptive and to achieve the desired result without wasting energy and time. That is why, it is essential for any business to identify key identities, values and compliance factors. Adaptability and access to the right information are basic enablers to manage changes and to respond to them effectively in a dynamic business ecosystem.
Timely usage of accurate information is a game changer for the rapidly evolving business. It can enable people to work smarter, faster and in a more efficient manner than ever before. The right information, used at the right time could potentially have a significant impact on economies, specific business industries, and the labor market. That is why information protection is an essential business driver today.
What would be the loss for the business, if critical, competitive company information was leaked?
The answer becomes clear when something bad happens. In the worst-case scenario, a data breach occurs, and it causes the company sufficient financial or reputational impact. The resolution of the problem is a Data Loss Prevention (DLP) solution that IT will implement and manage.
The common practice is to allocate budget for DLP to protect the company’s information. The technology is chosen, based on the latest trends and when the time for implementation comes, the DLP solution is configured:
- with one or several default policies in monitoring mode
- integrated with a limited number of enterprise systems i.e. including a limited number of users, business processes and information
- for a period of a few months
Then the project is considered as ‘successfully’ closed!
However, is the company’s critical information truly protected against leakage after the DLP project is done? No! Instead, after a few more months, the company decides that the DLP was not effective, involved costly support and should not be used anymore.
What went wrong?
Just as in the case of an automated vehicle which needs to receive information about the route and destination, every IT system is designed to facilitate a process and these systems need to be ‘told’ what to do to serve the business. The DLP solution should be configured, based on predefined criteria that include:
- what to protect (e.g. critical information)
- against what type of threats (e.g. leakage and unauthorized disclosure)
- how to react (e.g. notify only, notify and block)
The process for information classification defines the business needs and translates them to system language, appropriate for effective and efficient DLP implementation. And how can we achieve this goal fast, with minimum efforts and a limited budget?
Simply by asking the right questions:
- Why information classification? – The company’s information needs to be classified and protected, i.e. prioritized and secured, based on its format, criticality and value.
- What is information classification? – This is a process, which aims to rank and rate the importance of all company information in all formats including digital, hard copies, and verbal. The process is based on an evaluation of information criticality and impact on the organization, in case of disclosure, unauthorized access, misuse and loss of critical company information.
- Who is the owner of the information classification process? – The definition of ownership and custodianship of critical information is a distinct part of the information classification process. The IT department can facilitate the technical solutions (the DLP solution) for protection of information in digital format. The company information in other formats must also be classified and protected by the assigned owners and custodians respectfully.
- When shall the information classification process be applied? – The right time to plan and establish an information classification process is when the company’s information security strategy is defined and there is a ‘buy-in’, i.e. understanding and commitment from the stakeholders. DLP is the system which automates the already implemented information classification process.
- Where will the information classification process be enforced? – The process has defined perimeter or includes the overall organization i.e. all organizational structures, and business processes. The main purpose of the process is to ensure that all information assets are evaluated, prioritized and respectfully protected. This could include protecting email with DLP and archiving printed documents in secured archive rooms.
- How to implement information classification and automate it with effective DLP protection?
- * Begin from the end’- set up the goals, the checkpoints during the project and after implementation, verify these goals are achieved as expected and within the planned period.
- *Officially communicate the decision of the stakeholders, together with the project owner. It is the main driver when new initiatives and dynamic business changes need to be applied in the organization
- *Formalize detailed policies, procedures, guidelines, facilitating the information classification process and DLP configuration.
- *Select the right team, including representatives from all organizational structures to bring them together in the common ‘information protection journey’.
- *Plan and perform periodic tests, e.g. simulate a scenario in which the DLP will need to react as expected and analyze the results thoroughly.
- *Configure the DLP policies to fit the company’s business needs for information protection and to consider the industry-specific threat landscape.
- *Monitor the change management of the information classification process and reflect the necessary DLP improvements promptly.
Just as today automated vehicles are now a reality, so too is vigilant information protection possible, so long as the right ‘destination’ is clear and it is aligned with the dynamically changing business.
Blog by:
Help AG Cyber Security Consulting