Creating a Data Security Policy

Employees that work exclusively in an office setting are rapidly becoming a thing of the past. Mobility can be somewhat of a double-edge sword, providing productivity benefits, while also increasing the risk of data loss. With the ability to work from anywhere, comes the ability to access corporate data from anywhere. The fact is, your business will have to find a way to accommodate remote work and protect your data. The good news is, we’re here to guide you through the process of implementing a data loss prevention strategy (DLP) and creating a data security policy for your organization.

There’s no question that there has been a fundamental shift in how employees interact with IT. This transformation is driven by devices like laptops and smartphones, as well as services like remote access, social media, and Webmail. Without access to corporate data, it’s impossible to accomplish tasks in a meaningful way, but the days when a solid perimeter firewall was enough are long gone. Organizations need the right combination of tools and policies to minimize the risk of breaches that put sensitive information in the wrong hands.

The Consequences of Data Loss

A breach that leaves Personally Identifiable Information vulnerable can have far-reaching and devastating consequences for individuals and organizations. Examples of information hackers try to get their hands on include names, Social Security numbers, credit/debit card numbers, date of birth or health records. No matter how your company handles a data loss incident, it’s likely your security and privacy policies will come under intense scrutiny. Inevitably, customers tend to lose confidence in organization’s that have experienced a data breach, which means lost business.

The average cost of a data breach in 2020 is $3.86 million, according to a report from IBM and the Ponemon Institute. Not surprisingly, reputation damage and loss of business is the biggest single contributor to the cost of a data breach, accounting for 56% of the total cost for U.S. organizations. In addition to potentially catastrophic loss of business, there are costs associated with customer support, reputation management, productivity loss, data recovery, and legal fees. Organizations may also face fines due to laws and regulations meant to protect personal information, such as HIPAA. To reduce the risk of data loss and the associated costs, companies need a multi-layered approach to data loss prevention.

Implementing a Multi-layered Approach to DLP

A holistic strategy should start with content monitoring at data exit points, such as external hard drives and email messages. Your strategy should also include encrypting data to prevent unauthorized users from gaining access to sensitive information. Finally, a multi-layered Data Loss Prevention Strategy requires compliance from end users. This means your organization must create and enforce rules for proper data use. Prioritize management of data by choosing a solution that monitors and controls distribution of private information at exit points. You can simplify configuration, deployment, and management by implementing a solution that protects data at both the endpoint and the email gateway.

Controlling what end users can do on their devices is one of the easiest, most effective ways to reduce risks to your data. With this in mind, your organization should focus on managing the use of network-connected devices, managing access to websites, and controlling the use of applications, such as remote access, file sharing, cloud storage, etc.

Determining Your Data Loss Prevention Needs

Achieving a smooth Implementation of content monitoring, encryption, and policy compliance will require planning and preparation. You will need to have an understanding of the industry or government regulations that apply to your organization, and which laws/requirements apply to your business in your region. We highly recommend consulting a corporate attorney to make sure you have a clear picture of your obligations. As part of the planning process, you should define and document business drivers, regulatory/legal requirements, and objectives for your data security implementation.

As with any major project, you need to secure buy off from your organization’s executives. You will need their support for your strategy to succeed. Having a clear, well-researched plan will help you educate them about your goals and the benefits of implementing your plan. Since sensitive data is generated and shared throughout departments, you should organize a project team with representatives from across the organization. Consider including individuals from the senior management team, human resources, IT admin, finance, etc. A well-rounded team will help you identify sensitive information, determine where this data resides, and learn how the data is used and by whom so you can take appropriate action to secure it. This will help you understand the data’s role and who could accidentally expose data.

Along with your team, you should evaluate the risk and potential consequences of a data breach for each data type. You can then use that information to prioritize the data that poses the greatest risk if breached. Create policies for preventing loss of data, including what steps to take if your policy is violated. and remediation actions. Perhaps most importantly, you need to educate users of your policies, and their responsibilities. To ensure the success of your plan, all employees need to be aware of the policies if you expect to enlist their help in protecting the data they handle. Once users know the expectations, you can hold them accountable.

Best practices for Implementing a Data Loss Prevention Strategy

1. Begin with a transparent security policy. Give your users a document explaining the key aspects of your policy and have someone available to answer questions. Provide information on the types of data you’re trying to protect and make sure the organization’s motivations are crystal clear.
2. Deploy data protection technologies to prevent accidental data loss. Users are human and accidents will happen. Laptops can be lost, emails are often sent to the wrong address, and malicious links catch people off guard. You should be protecting against accidental data loss by deploying security solutions such as content control, device control and encryption to render data unreadable without a password.
3. Start with a small subset of prioritized data and slowly expand the rules. You can easily overwhelm your IT staff by implementing your entire plan at once. The process will go a lot smoother if you start small, and allow users to become used to the changes before implementing new ones.
4. Avoid accusatory language in notices, or you run the risk of making users defensive. Instead of accusing the user of purposely violating your policy by sending sensitive data, gently notify the user that it looks like they might be sending data in a manner that breaches policy.
5. Your goal isn’t to catch users breaking the rules, it’s to prevent behavior that puts your organization at risk in the first place. Educate users on the correct way to use and send data securely.

What to Include in Your Data Security Policy for End Users

Once you’ve determined your strategy, it’s time to create the policy that you expect users to follow. The information below can serve as a great jumping-off point for creating your own policy. You should outline behaviors expected of employees when dealing with data and link it to your Acceptable Use Policy and Information Security Policy.

Purpose

Explain the purpose of your policy, basically an opening statement about why you are implementing your policy, and your objectives. The goal of this section should be to create awareness about the importance of following this policy.

Scope

Include a list of individuals or user types that are expected to comply with your policy as well as a definition of the data it’s meant to protect. Identify the different types of data and include examples.

Employee requirements

Here are some requirements we recommend including in your plan. Please note, this is not policy document, and is not legal advice. This simply outlines some helpful items to include when creating your own policy:

1. Complete security awareness training and agree to uphold the acceptable use policy.
2. Visitors should be escorted by an authorized employee and restricted to appropriate areas. If an unknown, un-escorted, or otherwise unauthorized individual is identified in your organization, the appropriate person should be immediately notified.
3. Users should not reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by your organization.
4. All printed materials containing sensitive information should never be left unattended at user workstations.
5. Require use of a secure password on all company systems and create a password policy. You should require that work credentials are unique and not used on other external systems or services.
6. Require terminated employees to return all records ( in any format) or devices containing sensitive company information. Employees should be notified of this requirement during the on-boarding process, and should sign documentation to confirm they understand this requirement.
7. Require users to immediately notify the appropriate person in the event that a device containing in-scope data is lost.
8. Outline how users can notify the appropriate person to report suspected non-compliance with your policy.
9. Provide additional guidance to employees who work remotely and the precautions they must take when working outside of the office.
10. Ensure users never leave assets that contain sensitive data exposed to theft, for example visible in the back seat of your car.
11. Data transferred within your organization should only be exchanged via business-provided secure transfer solutions, such as encrypted USB, authorized file sharing, internal email, etc. Be sure to let users know who they can contact with questions about sending data if they are unsure.
12. Require that information being transferred on a portable device, such as external hard drive, is encrypted in line with industry best practices and applicable regulations.

Loss of sensitive data or proprietary information can cause permanent damage to your business. Your organization’s Data Loss Prevention strategy should consist of content monitoring, data encryption, and policy compliance. It may seem overwhelming, but data loss prevention doesn’t have to be difficult or expensive. Les Olson company’s team of IT experts can help your business find the right solutions and get them implemented and configured correctly. Request your free comprehensive Network Security Analysis to gain insight into your network risks and how to address them.