In addition to phishing attacks, uncontrolled downloads, SPAM, viruses, spyware and other malicious code, leaks of confidential data poses a huge security risk for companies. According to our experience, the confidential data of companies stored in the corporate network, such as financial or strategic information, is disclosed by their own employees. The most frequently used points of exit are the popular web mail system, instant messaging software, web upload pages or even the unknown information content of the standard outbound mail as it may contain confidential or classified information. These are risks that no company can leave out of consideration.
In many cases, the activity of users with privileged access to systems and network folders is difficult to trace because the scope of information they can access and the associated access levels cannot be limited. However, the threat of data leakage, such as the disclosure of payroll data, must be mitigated both outside and inside the organization.
The protection of personal data and the publicity of information of public interest is governed by law. According to the law, the data controller is responsible for the damage caused by the data processor in case of unauthorized access.
The current perimeter protection solutions cannot fully address these risks and statutory requirements.
To prevent the leakage of confidential business information, you need to set up and operate a DLP system, such as WebSense Data Security Suit. The application is capable of mapping the presence of the indicated sensitive information (Discovery function) within the organization’s network and systems (endpoints, repositories, gateways, databases, internal networks) as well as monitoring the movement of sensitive data according to established rules (Monitoring function). The introduction of the software makes it possible to determine which user (Who?) planned to leak what kind of information (What?) to whom (Where to?) in what way (How?).
The results can be used for creating individual and aggregated reports as well, which can be customized and automated to suit the requirements of the user, such as the manager or the head of IT security. Due to the fact that the WebSense system is modular, it can be flexibly installed and its features can be implemented separately.
The introduction and operation of the software system can be implemented as a complex information security project. We need to define the type of data to be protected on account of the high risk its disclosure would put the organization as well as the list of those who have access to said information, and by what means:
- It is important to know exactly what data assets does the company have and which data or information must protected against data leakage as they may pose a risk if their confidentiality is compromised. In order to take security measures that meet the different risk levels, such as the installation of a DLP software, we need to know the extent of risks.
- We must know the access levels of each and every employee to all information as well as the purposes they can use any given piece of information (process assessment, setting of rules). In most cases, the user and privilege management as well as data storage and mailing settings associated with business processes used at the company must be examined and reconsidered.
- The installed software must be operated and incidents must be managed. For this purpose, it is advisable to create a DLP rule system integrated into the processes and the structure of the company.
- The results must be integrated into IT security regulations and implemented for the day-to-day operation of the organization.
KÜRT’s counseling and system integrator team has up-to-date skills with respect to the introduction of DLP technology and the WebSense software, and is able to get actively involved in the preliminary planning and implementation phases as well. We recommend carrying out the following activities:
- Assessment of data assets and data classification
- Risk analysis
- Information security regulation
- Process management
- User and authorization management, Active Directory audit
- Implementation and software introduction advice