A Business Case for Data Loss Prevention

Data loss prevention (DLP) technologies identify, monitor and protect data in use or in motion on the network, as well as data at rest in storage or on desktops, laptops and mobile devices. While organizations are more successful at filtering incoming malicious content and deflecting unauthorized entry attempts, they are lagging behind with implementing technical solutions that effectively address data breaches.

Data Breaches Reach a Peak

According to the Identity Theft Resource Center, data breaches reached an all-time high in the U.S. in 2014, representing an increase of more than 27 percent from the number of breaches reported in 2013. Data breaches are a fact of life now, and organizations will continue to be negatively impacted by the loss or compromise of sensitive information.

An integral part of the answer in minimizing these impacts and reducing risks associated with exposing sensitive information, losing intellectual property or violating compliance obligations is data loss prevention. This technology enforces data security policies by monitoring devices and traffic while preventing the outbound flow of sensitive information.

So what’s the impact? IBM and the Ponemon Institute recently released the “2015 Cost of Data Breach Study: Global Analysis,” which found that the average cost paid for each lost or stolen record containing sensitive information rose 6 percent — an increase from $145 in 2014 to $154 in 2015.

Data Loss Prevention Must Be Integrated

DLP has finally evolved to become an important component of a broader security architecture. Through deep content inspection and a contextual security analysis of transactions, DLP technologies serve as the enforcers of data security policies and provide a centralized management framework designed to help detect and prevent the unauthorized disclosure or transmission of sensitive information. DLP protects against mistakes that lead to data leaks and intentional misuse.

Download the Ponemon Institute 2016 Global Cost of a Data Breach Study

As organizations recognize the growing risk of data loss and the importance of data protection, DLP solutions become more attractive. Although most organizations express an awareness of DLP capabilities, they struggle to make the business case for the product’s adoption, and achieving project buy-in from executives is a key first step to any security endeavor.

Although a DLP project can hold the attention of executives due to its ability to support regulatory compliance requirements, the difficulty lies in justifying the project’s costs with the benefits, which largely involve mitigating the risks of information loss and a technical means to protect information from leaving the network. Identifying top security drivers as problems addressed by DLP solutions helps increase executive support for a business case.

Key Drivers

There are several key drivers that can demonstrate the need for the adoption of a DLP solution. Some of the most popular are the need for compliance, enhanced property protection and improved security awareness and training, among others.

Compliance

These solutions support compliance with security regulations and standards such as:

  • HIPAA;
  • GLBA;
  • Sarbanes–Oxley; and
  • PCI Data Security Standard.

Property Protection

Data loss protection tools can help secure an enterprise’s property and critical information. This may include:

  • Intellectual property;
  • Protected health information;
  • Personally identifiable information (PII);
  • Credit and debit card information;
  • Data regarding mergers and acquisitions; and
  • Strategy and planning details.

Security Awareness and Training

Once the right tool has been acquired, its implementation and use could assist companies in increasing user awareness of:

  • Security incidents;
  • Compliance requirements;
  • IT problems and advancements; and
  • Legal issues.

Other Considerations

Organizations must also take into account factors such as:

  • Ensuring appropriate network usage;
  • Driving the use of security technologies such as encryption; and
  • Fostering secure communications with outsourced vendors and other partners.

Address All of Your Security Needs

Although larger, publicly traded companies often propose DLP solutions as a means to shield executives from legal consequences, organizations of any size can use DLP functions to address a variety of needs. International organizations, for example, may use security features inherent to DLP to add another layer of protection for intellectual property in less regulated countries; other companies can use DLP to drive policies such as encryption use.

The greatest sources of value to an organization can come in the form of:

  • Complying with federal laws;
  • Reducing financial damages due to loss of confidential data or intellectual property; and
  • Ensuring a secure environment to business partners.

DLP solutions can provide significant financial and operational benefits by reducing costs associated with compliance and intellectual property protection challenges. Enterprises should consider potential costs incurred as a result of unmitigated risks. For example, avoiding reputation damage, avoiding regulatory sanctions and protecting intellectual property deliver businesses benefits that are often difficult to quantify yet still beneficial to operations.

Read the complete Ponemon Institute 2016 Global Cost of a Data Breach Study

Justifying a DLP Implementation

Weighing the costs and risks against the regulatory, business and financial benefits of DLP adoption enables informed buy-in decisions. To help justify an implementation of DLP, organizations should consider both the costs/risks and foreseeable benefits of a solution. There may be many factors that influence each of these categories.

Long-Term Costs

Paying for the acquisition of a DLP solution is just the tip of the iceberg. Companies must also take into account:

  • Licensing fees for hardware and software;
  • Upfront costs for customization or add-ons;
  • Any additional costs for staffing or scope expansion; and
  • Ongoing costs such as support and maintenance.

Potential Risks

Drawbacks that enterprises need to consider include:

  • DLP-specific risk, such as interruptions to workflow and dissatisfaction on the part of vendors or partners; and
  • Non-DLP-specific risks, like solutions and resources that conflict with other business initiatives and the technology risk stemming from implementing and integrating new systems.

Foreseeable Benefits

The advantages of data loss prevention techniques touch many areas of business operations.

  • Regulatory benefits include supporting regulatory, contractual and policy compliance and securing outsourcing and partner communications.
  • Business benefits may include protecting the corporate brand and reputation, positioning the company as a trusted business partner, protecting intellectual property and enabling metrics to measure data loss prevention.
  • Cost benefits include reducing risk and exposure to internal and external threats and positioning the company to avoid potential financial loss from misuse of data, loss of data or noncompliance to policy, regulations or standards.

Businesses need to effectively manage information risk in order to thrive and grow, so it’s important to choose the right organizational investments. Implementing a data loss prevention solution is one of those investments. A business case can make all the difference because it generates stakeholder commitment and guides the work to ensure that expected benefits are realized.

Share this Article:
Brian Evans

Senior Managing Consultant, IBM

Brian Evans, CISSP, CISM, CISA, CGEIT is a Senior Managing Consultant for IBM Security Services and assists clients in building regulatory compliant information security programs. With over 20 years of combined experience in IT management, consulting and information security, Brian has served in the role of Chief Information Security Officer for a variety of organizations and worked in various industries. He has led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held director level positions with CynergisTek and Computer Task Group consultancy firms and started his career in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland.