Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Solving the DLP Puzzle: 5 Ways Employees Spill Sensitive Data

Here are five ways in which employees maliciously or unwittingly lose sensitive data, and how a DLP program with the right people policies can make a difference. (Part 2 in a series)

By , Senior Editor

July 14, 2009CSO

A company can buy every top-of-the-line security product known to man, but it won't make a difference for data loss prevention (DLP) unless end users are educated on their own role. Technology is indeed critical to DLP, as we showed in "Solving the DLP Puzzle: 5 Technologies That Will Help." But security experts say user awareness is key to keeping sensitive data safe from online predators.

"DLP is a process first. The technology is simply an enabler for the automation of the process," said Rick Lawhorn, a Richmond, Va.-based chief security officer. "The process needs to include education and awareness training and cover human resources, records management and compliance. The objective is to continuously train data owners and data custodians (the employees) on the company policies to reduce instances of non-compliance."

Based on feedback from several security practitioners, here are five ways in which employees maliciously or unwittingly lose sensitive data, and how a DLP program with the right people policies can make a difference.

1. E-mail mayhem
IT administrators have had success detecting and blocking malicious e-mail, but users continue to let sensitive data outside the company walls by hitting "send" at inappropriate moments -- like when they've just copied and pasted customer information or intellectual property details into a message box. Many times the e-mail is meant for recipients inside the company, but the user might include outside addresses in the message without thinking.

See an example of users compromising security through e-mail in "Ouch! Security Pros' Worst Mistakes"

Meanwhile, e-mail filters can't stop every phishing attempt. URLs to malicious sites will still get through, and all it takes is one user to click on it to infect one or more machines with malware that finds and steals data.

This is where the user policies and awareness training can make a difference, Lawhorn and others noted. Policies should be clear on the type of content that users can and cannot send out, including such things as customer credit-card numbers, detail on the company's intellectual property and the medical records of fellow employees. Attackers typically latch onto news events like hurricanes or celebrity deaths to concoct bogus headlines that, once clicked, open the door to insidious websites designed to drop malware onto the user's machine. An awareness program can reduce the risk by constantly alerting employees to malicious social engineering schemes making the rounds.

2. The perils of pinging
Instant Messaging programs like AOL Instant Messenger and Trillian have become routine applications in an increasingly mobile workforce. Employees often rely on these programs to communicate remotely with their bosses and department mates. Along the way, attackers have found ways to send malicious links and attachments to users by creating imposter accounts that look like legitimate messages from colleagues. Adding insult to injury is that many IM applications can be downloaded for free and, once installed, are pretty much beyond the control of enterprise IT shops. Like the e-mail problem, this is a case where user awareness training and policies are critical. Policies should be clear about information that can and can't be sent by IM.

RESOURCE CENTER