Data leakage is as real a threat for Middle East enterprises as it is for other global firms. Several new solutions in the market mean to address the problem, but enterprises need to act with caution when choosing and working with one.
Information has a way of flowing out of organisations. It has done so in the past and it continues to do so, but the problem these days is that this information can be put to use in a malicious way.
This is why it has become essential now for organisations to prevent its confidential data from moving out of the corporate network.
Data leakage needs to be an integrated solution. There is no such thing as a silver bullet that will help you against everything because there is no single way that people break into your enterprise and steal.
"There has been an exponential rise in findings from around 3000 in 2003 to hundreds of millions of records being stolen last year. For some the question could be, has the number really risen or do people feel more obliged to report losses now? Before 2003 there were no specific laws or regulations that would force people to report incidents and thus nobody did. Others would say that this is real growth. Whatever it is, the numbers are shocking," says Asem Galal, general manager for McAfee in UAE, Qatar, Egypt, Kuwait as well as MEEM.
There are many ways in which data can be stolen.
"Data exfiltration can be achieved via multiple channels. The network is a channel of choice; bots, keyloggers, Trojan horses and spyware are loaded with modules dedicated to exfiltrating the stolen information," says Guillaume Lovet, senior manager, threat response team, EMEA, Fortinet Technologies.
Data can also be shared or stolen by internal employees, and according to some analysts, more than 75% of all information loss in an organisation can be traced to employee behaviour.
"E-mail and portable devices such as laptops, CDs and flash drives are the most common culprits. With e-mail, important information can be sent with little chance of immediate detection, though it can be easy to find the evidence later," says Nigel Tozer, channel development manager at CommVault.
Most industry experts accept that the data flow from within a firm occurs in an inadvertent fashion and most employees do not send data out intentionally.
Most of them are not aware that the data is confidential or that it can be used to harm the company.
Whatever the intention though, it is doubtless that the threat of data leakage is as big in this region as anywhere else in the globe.
"The internet economy is, in my opinion, the first and only global economy, in the sense that everybody is equal in terms of dangers. Not everybody is equal in terms of protection. That is a different story," says Galal.
The lay of the land
To address the growing concern of information leakage, many security vendors, including Symantec, McAfee and RSA, have launched data leakage prevention (DLP) packages in the region. There are many scenarios for data leakage. One involves the internal employee leaking the information out and another involves the loss of a USB drive or a notebook.
"These are two different issues. And our solution can handle both of these. Our package would prevent people from sending confidential data out via e-mail or take copies of it. It does this based on the access level of the person and the sensitivity of the information. Our solution also helps in encryptying hard disks so that the data sitting on top of it becomes useless to anybody who steals it," says Galal.
Data leakage can be prevented with the right processes in place but most companies may not consider this a risk until it is too late and they have had an important piece of data leaked.
"A solution that effectively reduces the risk of data loss across all business processes must combine comprehensive monitoring with prevention. It should accurately monitor and prevent security violations for all data types and all network protocols. An effective DLP solution should also discover and inventory confidential data stored on laptops and desktops, and prioritise high risk endpoints for additional protection," says Dr Guy Bunker, distinguished engineer, Symantec UK."
With a plethora of choices in the market, choosing the right DLP solution can be difficult, though not impossible.
Galal suggests that companies understand the business and threat situation before choosing any DLP package.
"I would suggest looking at the different scenarios of data leakage. You may think that printing a document is leaking data. Another more creative and less traceable way is doing a print-screen. Some would copy and paste a document that is tagged as confidential. DLP packages need to be extremely meticulous to not allow any of these various scenarios to occur. The other question is, what kind of devices will it support? All of us know that, moving forward, the Blackberrys and the smartphones of this world will have more and more corporate data packed into them," points out Galal.
Roberto Llop, regional sales director, Europe south, MEA at RSA, the security division of EMC, says: "First, the DLP package has to clearly classify information, so that the company can understand what data is relevant and where it is stored. Classification is critical. And then you need to figure out where the information resides and how it behaves in motion across different networks and endpoints."
Bunker adds: "The solution must be able to stop transmissions that violate security, acceptable use, and privacy policies before they leave the network. Some organisations elect to begin with monitoring, then take the next step to prevention. However, even if the plan is to phase in prevention capabilities over time, both monitoring and prevention capabilities should be available in the solution, giving the organisation the flexibility to expand."
Best use policy
According to some estimates, the market for DLP solutions is growing by almost 40% annually in the region. While many of the enterprises that are deploying these packages consider them to be standalone solutions, most industry experts stress the need for them to be considered as part of a whole that comprises process as well.
"As with everything, process is the place to start. Once you know the entry and exit points of data you can decide the risk and the relevant investment. Proper de-provisioning of employees and encryption at endpoints, or where data leaves the organisation is the best starting point. E-mail is the other key area that should be tackled with education first and later possibly with e-mail ‘compliance' software. It's a fantastic deterrent even if not required by regulation as is the case with most of the Middle East," says Tozer.
"Businesses should follow international standards such as ISO 27001/02. If they did, appropriate controls would be in place which would minimise data leakage. These best practices should be obligatory for areas where personal or sensitive data is stored. These standards should then be supported by appropriate technology. And finally, users - employees, customer and business associates - must be trained in the correct means of handling sensitive data," says Ganesh Lakshmanan, security team lead at CA.
Galal stresses on controlled access and well-trained people as the first two necessary elements for preventing data leakage.
"Technology that is used to protect and defend comes as the third part. The fourth part is ensuring that you have a process in place - one that includes things like the length of passwords, who has control over pieces of information and what processes are in place to ensure that data does not go out," he adds.
Vendors also insist that DLP solutions should be considered as an integrated part of other security solutions that an enterprise must have in place.
"Unified, integrated DLP solutions will likely become a critical component in comprehensive portfolios for information-centric security. An information-centric security program includes keeping the bad things out; so you still need an in-depth defence strategy that relies on traditional security solutions like antivirus and anti-spam. But information-centric security is also about keeping the good stuff in, and that means being able to protect information at rest, in motion, and in use. To do that, security and storage solutions will need to work hand-in-hand. DLP is the linchpin that will make this vision of information-centric security a reality," says Bunker.
Galal agrees: "Data leakage needs to be an integrated solution. There is no such thing as a silver bullet that will help you against everything because there is no single way that people break into your enterprise and steal. There are multiple ways of doing that."
The way ahead
For all its growth in the Middle East, data leakage as a problem and the solutions surrounding it remain a nascent market.
And a nascent market comes with its own set of challenges.
"It is difficult to propogate that data is the most valuable asset for any organisation, and that working on data security is not just about preventing bad things from happening, but using security as a business enabler," points out Llop.
Galal insists on the need for regulation when he states: "Even in very mature markets, we really did not see anyone tackling the problem till regulations took hold. Regulations are still missing here and it is crucial; no level of awareness can substitute that. Regulations also involve providing the right information to customers. With the right information, customers can invest with corporates that have a track record of putting in the effort to ensure that things are ok. This will, in turn, encourage people to invest in the right technology across verticals," says Galal.
Enterprises should also be aware that some capabilities provided by DLP packages can potentially be abused by system administrators.
To avoid this and any other employee concerns, it is essential that they integrate solutions into their overall security policy and ensure that there is a swift escalation process when things go wrong.
The future awaits
DLP solutions currently address only a small portion of the Middle East market, but there is no doubt that this is set to grow exponentially. Much of this growth will be driven by the need to protect confidential and sensitive enterprise data.
As the threat increases, many believe that the best place to start tackling it is right at home with process, practice and, most importantly, a new mindset.
"Data leakage can be prevented with the right processes in place but most companies may not consider this a risk until it is too late and they have had an important piece of data leaked," explains Tozer.
"Data leakage will only get worse and not better. Considering the amount of data that everyone is storing in their phones, the ease with which this can be stolen or accessed, is scary. The amount of data will only increase. We all need to be aware that there are measures we can take to ensure that our data is safe. Security is being alert, and if we can get people to be alert we would have solved 60% of the problem," concludes Galal.
For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.