In this podcast, Roman Foeckl, founder and CEO of CoSoSys, talks about the growing importance of Data Loss Prevention at both endpoint and development level.
Here’s a transcript for your convenience.
Hi, I’m Roman Foeckl, Founder and CEO of CoSoSys, and I want to talk to you today about the growing importance of Data Loss Prevention at both endpoint and development level. The last year has been a disastrous one for data protection across the board, with organizations ranging from hospitals and government agencies to data aggregators like Equifax and big businesses like Forever 21, Uber and Verizon, falling victims to large scale data breaches.
That being said, there’s been a marked effort both in the US and the EU to regulate data protection and lift overall standards to a level where breaches cannot easily occur. The General Data Protection Regulation or short GDPR is the most prominent of these. Already seen as a ground-breaking legislation, the GDPR focuses on protecting individuals’ data and placing responsibility for data security squarely on companies’ shoulders, with massive penalties for organizations found to be non-compliant with its core principles.
The new regulation brings concepts previously only discussed in policy circles such as privacy by design and by privacy by default into the mainstream and turns them into requirements enforced by law across the European Union. You see this also the importance of GDPR as it is similarly adapted in California already with the California Consumer Privacy Act.
In the midst of this tense situation, where companies’ fear of breaches has increased exponentially, while at the same time they are frustrated by the tremendous task of reaching compliance with various regulations, the information security sector, with its plethora of services and solutions, has found its role gaining a significant boost in importance.
A few years ago, we in the information security sector were, in a way, the birds of ill omen, always warning companies of the possibility of data breaches and data loss, of cyberattacks. Today, we don’t have to convince anyone that that’s the case. They see it happening every day. Digitalization has brought enormous benefits, but has also given rise to greater vulnerabilities and no company can afford to not have a data protection plan in place anymore.
When it comes to data loss, the human factor often plays a decisive role. Whether through carelessness or ignorance, employees often make mistakes that compromise a company’s data security. We can cite so many examples of this, from London Heathrow Airport’s security plans being found on a USB in a public library to Snapchat’s payroll department falling for a whaling attack and releasing the sensitive information of over 700 employees.
Devices full of sensitive data are taken out of the workplace unencrypted or are then lost or stolen. They are used in public places over unsecure connections where they can easily fall prey to cyberattacks or can be accessed by unauthorized third parties. Employees often disregard data protection practices and transfer sensitive data over cloud storage services, by email or through messaging applications.
And that’s without counting shadow IT, namely the applications and services that the company has no idea their employees are using. Online file transfers or conversion services for example, whose security is often doubtful. Even worse, all this is done intentionally by employees looking to cut corners and finish their work faster. To this you can add the unintentional accidents, where data is sent to a general email, posted publicly online or shared with unauthorized third parties.
Now put all this into a context where you have a legislation like the GDPR imposing fines of up to 24 million dollars or 4% of a company’s annual global turnover for the preceding year, whichever is higher. The responsibility for their employees’ behavior resting with the company, it is the organization that pays for their negligence.
All of this, of course, can be mitigated through the use of Data Loss Prevention and complementary tools which put control back into the hands of employers and allow them to enforce data protection policies directly, without negatively impacting their employees’ work.
DLP solutions, like CoSoSys’ own Endpoint Protector tools, allow admins to define sensitive data as it applies to them. This can mean predefined general personally identifiable information, things like social security numbers, credit card numbers, passport numbers, date of birth and so on. But it can also be customized industry specific sensitive information: medical records, software code, patent application, copyrighted content etc. or regulation specific profiles for sensitive data as defined by HIPAA, GLBA, GDPR etc.
Using these definitions to build policies, sensitive data’s transfer can be monitored or blocked via all or specific channels, it can be searched for on employees’ computer and encrypted or deleted where it is found on unauthorized users’ endpoints, a device or clouds.
Taking things a step further, device access can be blocked on employees’ endpoints and granted only to trusted portable devices. All data transferred onto USB drives can be automatically encrypted. All of these measures significantly reduce the damage that can be wrought by a company’s own employees whether out of ignorance or through malice. It also considerably reduces the chances that sensitive data can be accessed by third parties.
Of course, this is about endpoints and networks, these issues have been around for years, it’s why Data Loss Prevention solutions were developed in the first place. A newer development is data protection and security within apps, services and clouds. As I mentioned before, the GDPR brought two concepts into the mainstream: privacy by default and privacy by design. What these essentially mean is that developers need to put security at the top of their priorities’ list when creating applications and services. If you think about it, it does make sense: if you can no longer escape the need for security features, why not add them straight at the core from the start instead of boosting security later through extra layers or add-on services.
However, here’s where the plot thickens: security features imply a niche expertise most developers don’t have. In which case, should all coders start reinventing the wheel? Go back to basics and teach themselves how to build security features or should the company pay for expensive specialized trainings? At the end of the day, even if they will learn how to add security elements to their apps, their efforts will at best be passable and at worst fall short of new data protection standards.
Luckily, we live in an age of the cloud, artificial intelligence and big data: you can buy anything as a service. The big players of the tech industry have already made their move: Microsoft has baked DLP into some of its business products, Google has rolled out a cloud data loss prevention API and Amazon’s machine learning based Macie offers DLP capabilities for AWS S3 storage.
For us, at CoSoSys, expanding into DLP APIs with sensitivity.io, seemed like a natural progression as we considered the state of the information security sector and the pressing need for extended DLP capabilities that could reach not only endpoints or devices, but also the very foundations of development. As such, we are among the first to offer DLP APIs to developers. Through them, they can add advanced scanning and classification features to their apps along with comprehensive policies for regulations such as HIPAA, GDPR, PCI DSS and so on. It is an exciting new product that we launched this year.
I think we are coming to a turning point in the digital age. Our technology and our data protection policies have been proven insufficient by wave after wave of malicious attacks and major leaks that have left sensitive information exposed or vulnerable. It’s not the sort of situation that we can just accept. All the regulations that have been voted into law are proof of a willingness to take a stand and raise standards across the board so that such cases will not repeat themselves. Now it is time for companies to pick up the banner and hold themselves to the same principles. After all, in an age when competition is global, customer retention is often based on an organization’s image and the trust it inspires.