Avery Dennison overhauls DLP program in enterprise-wide effort

The company’s DataSafe initiative marries technology improvements and a new enterprise-wide security mindset.

cloud security / data protection / encryption / security transition
Metamorworks / Getty Images

Avery Dennison had to confront a typical challenge: how to best protect its significant, and quickly growing, volume of data.

The 86-year-old multinational company has accumulated 55 million-plus files, which its 30,000 employees use and share among themselves and external collaborators across 60 countries to get their jobs done.

Safeguarding such an expansive stash is a tremendous task, as any CISO can appreciate, and it’s one that could easily swamp a security team.

But Senior Director and Information Secuity Officer Jeremy Smith and his staff have allies in tackling that task, thanks to Avery Dennison’s DataSafe initiative.

DataSafe enlists all employees in an enterprise-wide effort to protect company data by asking them to consider the safeguards needed from the time a file is created through all its stages of use. DataSafe then combines its human resources with well-articulated controls and intelligent security software, completing the lauded people-process-technology framework for transformation.

The result is a robust strategy for preventing unintentional data leaks and malicious hacks, one that populates a security mindset throughout the organization.

“It was often thought that security was security’s problem. But enabling your employees to act as security partners to protect their own data is as critical as any security tool you may have,” Smith says. “That takes getting out of your silo, working within the business functions to understand what data to protect, how to protect it, and then providing methods to enable that. It’s something that’s a little different for us technology practitioners.”

A need for change

DataSafe represents a maturation of Avery Dennison’s data security program, Smith says.

His company, similar to many others, once had taken a more conventional approach to security, leaving the task mainly to security specialists who implemented firewalls, other defensive technologies, and constraining policies.

But several years ago the security team and other company leaders came to see that approach as ineffective. They saw that their expanding use of cloud resources obliterated the company’s computing parameters and that the protection of their data was vulnerable to human error.

“There was a realization that data could easily be lost. There was this realization with our internal audit team that we weren’t as mature in our data loss prevention as we desired to be,” Smith explains.

So, in late 2018 and into 2019 the security team partnered with the company’s audit department, its IT communications team, and outside consultants to create a roadmap for change.

Problems to address

As is typical for organizations seeking transformational change, there were no ready-made solutions that could easily address all the company’s concerns or meet the unique needs of Avery Dennison; there were no off-the-shelf data loss prevention (DLP) tools that could be quickly deployed into the company’s environment, Smith says.

He points to a few key reasons why.

First up: The data that Avery Dennison has, and considers valuable, is highly specific to the organization.

“We don’t have very simple data types that lend themselves well to pattern-matching. We’re business-to-business, so our most critical data is intellectual property and customer order information,” Smith says.

As a result, the company’s data was not filled with personal identifiable information or payment card data whose protection is guided by industry best practices and well-established standards such as the Payment Card Industry Data Security Standard (PCI-DSS).

And because Avery Dennison’s files don’t contain highly structured data governed by regulations or rules, Smith says conventional DLP tools weren’t particularly effective in identifying the company’s sensitive data. As he says: “There’s no easy formula that we could come up with that said, ‘If this was lost, it would be a risk.’”

Moreover, the company at that time didn’t have a rigorous classification system that would work well with even customized DLP tools or manual interventions, Smith says.

That lack of a robust classification scheme also meant employees didn’t have a system to guide how, when, or whether they should limit access to files.

Consequently, while executives generally understood which files contained sensitive information, lower-level employees did not. Additionally, most employees didn’t practice the principle of least privilege—where access to information is limited to only those who have a demonstrated need to have it.

“We had loose data classification terms, and they weren’t widely used, so people didn’t know if a file was classified, or what that meant, or how it should be restricted,” Smith explains.

Building a better system

The assembled team tackled those obstacles with the DataSafe initiative.

The program started by enlisting the corporate managers who had responsibility for data, having them identify and inventory data and assets as well as articulate the critical components, develop a four-tier classification system, and establish key performance indicators for protecting data at the various levels.

“They helped us define in their function what was the data that would be in each of four categories, from data requiring the highest level of protection to data that’s public,” Smith says.

As such, identifying and inventorying the most critical business data and assets made up the first part of the initiative’s three-pronged approach.

The second part was measuring and planning for success.

The third component then involved the selection and deployment of intelligent data protection technology to help prevent data leaks and ensure regulatory compliance while also enabling seamless collaboration—an important component of making DataSafe work. Avery Dennison opted for Sekure, a cloud-native data governance application that enables employees to identify, classify, monitor, and protect sensitive business data as well as automatically discovers, classifies, and protects the company’s most critical business data.

The company took about six months to develop and rollout DataSafe, with the initiative fully deployed at the end of 2019. Smith credits its success in part to assigning a senior program manager, Jagan Koli, to shepherd it forward.

Companywide security mindset

Now in operation, DataSafe requires employees to classify a file upon its creation based on the company’s four-point system for data security, so that the file can be protected based on its security needs.

“It forced people to think about whether the data was important, and if distributed too permissively whether it would cause risk to the organization. It got people thinking about the data itself and to be more careful about how they handle it,” Smith says.

Avery Dennison’s security tools then reinforce policies, automate controls, and detect for violations. The technology capabilities include centralized visibility of human risk and compliance, incident response enrichment, and risk-aware security in addition to autonomous data classification, user-driven data classification, and automated governance.

Those tools include machine learning and artificial intelligence capabilities, which bring a level of effectiveness to DataSafe that wasn’t possible until recently. As Smith says: “There are aspects of this that we couldn’t have done five or 10 years ago, and we’re still maturing.”

The result is a data-protection program in which empowered employees alongside technology designed for Avery Dennison’s specific needs are able to immediately deliver better security and improve performance over time.

“We created a model,” Smith says, “for holding our data owners accountable, KPIs and goals for ourselves for how we’re going to mature.”

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)