Before we discuss the serious investment in money and time DLP requires of large companies, let’s look at how you can protect your smaller company on the cheap. Here are four points to address.
First, explain to your workers why DLP matters and the penalties for mistakes. If workers don't know which files need protection, they can't protect them. Explain the penalties when customer information escapes. News stories help you with this by recounting yet another data loss just about weekly. Clip and save a couple of articles that outline the data breach laws, penalties and costs of customer notification. Even small companies fall under these guidelines, so emphasize how each employee may have to call customers and apologize for sending their credit card information to the Hackers 'R Us headquarters by accident.
Following the 80/20 rule, 80% of your coworkers will get the message and do a better job of monitoring how they use and abuse data, while the other 20% will nod and say they understand the issue, then do something crazy like e-mail a plain text listing of your customer files that afternoon. Behavior modification requires constant repetition, just as animal trainers work every day with their charges. Unfortunately, you can't use a whip with coworkers.
Second, move all critical files off individual computers. Enterprise DLP system software runs on every desktop and laptop, and monitors local and networked file activity. Until you can afford that, remove temptation by vigorously tracking all critical files on local computers and moving those files to networked storage of some kind.
This requires you to formulate a list of critical files, file types and information to be guarded. Compliance regulations focus on customer data like credit card numbers, but you have much more information you want to keep quiet. Whether plans for the 200 mile per gallon car or your customer list, you have plenty of information to safeguard. Leaving those types of files under the control of individual users means your DLP attempts failed.
Third, upgrade your local shared storage access controls. Management knows how to do this, because they don't put payroll information in the public file area. Treat all your critical files as if they were payroll files, and you'll be better off.
Shared file storage, whether a Network Attached Storage device you pick up at Best Buy or a redundant cluster of Linux servers in front of a Storage Area Network, provides controls over which users have access to which folders. The better the system, the more granular and secure the access rights controls. Even the cheapest shared storage box allows you to password protect volumes at a minimum, making it easy to put, say, all accounting and payroll files on a separate volume that requires a username and password different from the public file storage areas. Take the time to set this up properly, and your data problems drop in a big way.
Sign up for Computerworld eNewsletters.