The purchase dilemma - is data leakage prevention a good investment?
Too often the decision to purchase IT security products is made without regard to the need to train employees about security protocols. It is an oversight that can be costly writes James Turner.
In last month's column, I stated that the entire data leakage prevention (DLP) area was going to be a flash in the IT security pan.
This assertion is based on some research I recently completed on DLP. I maintain that DLP is an information management tool, not a threat mitigation tool like anti-virus or intrusion prevention.
DLP technology is not a substitute for due care in the handling of data. DLP is not a replacement for user training in information management, process re-engineering to eliminate gaps and/or confusion, information security awareness campaigns, or even personal accountability.
This point – personal accountability – seems to be an area of breakdown where many security policies are coming unstuck in the face of the users.
To give you an example of this from the world of physical security; recently while waiting for a meeting with an industry contact, I was sitting in the lobby of a large organisation.
Security guards checking staff tags
The lobby had security guards checking the tags of staff passing into the second area of the lobby. While I was watching, a lady came up to the guards, reached for her credentials and suddenly realised that the tags were no longer there. The guards then tried to direct her to the reception desk where they wanted her to follow the security procedure. The lady was very upset. She protested that the tags were there this morning, so why couldn't the guards just let her through?
There are two issues here. Firstly, she was taking out her upset on the guards because she had lost her tag. She was apparently expecting them to ignore her breach of responsibility and then ignore their own responsibilities and let her through. Secondly, she didn't understand the importance of following this security procedure.
I don't expect staff to be experts on the reasons for each and every security policy. I don't even expect staff to know all their organisation's security policies. But I think it's reasonable to expect that staff are sufficiently trained so that they understand the need to follow procedure.
This employee's lack of personal accountability for her own credentials was compounded by a lack of adequate training and became a classic incident of a user being "obstructed" from doing what they wanted to do by security.
The fledgling industry of DLP sprang up because accidents happen with data handling. Usually it will be because the user does not understand the value of the data, or the user is distracted from correctly handling the data. Either option has implications for an organisation that depends on users executing their duties with due care. In either case, the root cause is poor staff training in dealing with valuable and confidential information.
Need for improved staff training
The need for improved staff training is exacerbated by the influx of Generation Y workers and the attitude to information ownership they bring with them. This is a generation which uses technology and information ruthlessly as the means to the end and often in ways which were unintended by the creators. Their ability to innovate on the fly by mashing up technologies and information is already having a direct impact on the deployment of new technologies.
Generation Y is learning these sloppy information handling lessons on the Internet and then bringing the lessons into the organisation.
There is a real risk that we will lose the hard-earned lessons of the last 50 years of IT security in this Internet-based eclectic grab-bag of devalued intellectual property if we do not instigate consistent training for all staff. This information management training cannot be ad hoc.
Australian needs an education campaign across all organisations. Think this is a storm in a teacup? How many handheld devices are getting plugged into your network? People are always looking for the easiest path – technology will not protect you.
While it may be tempting to buy into the marketing hype of a vendor that has just dropped a few hundred million on a "me too" acquisition, in our more considered moments we remember that education is as close to a silver bullet as we have.
About the author: James Turner is an advisor with IBRS, an Australian company that provides research and advice to IT and business managers in Australasian organisations. James specialises in the IT security sector. www.ibrs.com.au