Data Loss Prevention (DLP) – Hasn’t the penny dropped yet?!
Enterprise businesses spent ~$1billion on DLP related products in 2017, with estimates from a variety of analyst experts saying it could grow to $1.4-$5.4 billion by 2021.
So we can agree that it’s a growing business. If DLP products have since 2006 continually been built primarily to stop data loss from happening, why was 2017 reported as the worse year for breaches than any year prior, an increase of 45%over 2016?
“Not a problem”, say the vendors, “we have upped our game and provided greater functionality to learn from the past.” …Really?
- Under Armour – 150 million
- Pumpup – 6 million
- Panera Bread – 37 million
- Exactis – 340 million
- Aadhaar – 1.1 billion
These are a random selection of organisations that have experienced a data breach in the first half of 2018, exposing personal records to unintended recipients. An interesting mix of companies responsible for losing 1.7 billion data records.
The constant here is that some of the simplest data management errors are continuing to result in the loss of millions of records. Size does not count here. As a consumer of an organisation’s goods, I am very sure that if said organisation lost my records due to a data breach, then I’d refrain from doing business with that company again. Multiply that by the 1000’s or millions of individuals that the breach affected and now that company’s repeat sales have taken a massive dent and the return on investment of their DLP product has just nose-dived.
We live in a world where our personal, business and social interactions are played out across the digital atmosphere, not on paper, floppy disks or a trading floor reminiscent of a person making shapes on the dance floor. In this world, we all expect businesses to approach the management of our data, whether personal, health or as a consumer with the highest levels of privacy, security and ethics.
Of course, there are laws in place such as GDPR, California Consumer Privacy Act, APPI and other data privacy regulations to force us [businesses], to conform or face a fine including being named and shamed. Many regulations are like exams; at a given point in time you were smart enough to have the answers to pass the exam, following 3 years of constant study. Would you be able to answer the new exam questions 12 months later? How many organisations, once compliant, can empirically say they maintain the same levels of compliance they employed when passing the initial audit?
DLP tools come up against a similar issue; akin to speed cameras or sleeping policeman, put in place to catch you if you use that route. Once you know the route or are given the privileges (like a blue flashing light) to go down that route then the preventative tool needs to be updated; or, as previously referenced data breaches suggest, not. DLP tools end up becoming reactive or responsive (managing the effect) to the activities of the data user or cyber actor, instead of controlling the way that the user should interact (managing the cause) with the data in the first instance.
A mind shift in execution and technology needs to happen:
- Address the cause of Data Loss not the effect
- Stopping 10 breaches, whilst missing 1 is still failure
- Protection need to be explicit at the data layer
- Data interaction should be based on zero trust
- Data protection needs to be integral to business processes
Check out Gospel Technology, The Blockchain Platform for Enterprise Data Collaboration.
One of the key features of the platform that addresses the data issues not being contained with DLP products, provides businesses with the confidence that all data under Gospel control is out of reach from human errors, intentional data syphoning and external cyber infiltration. Our ability to provide immediate 360° visibility of all read/write activity of data, provides organisations with the ability to inform individuals of actions they should not be attempting (due to naivety), but also monitor and act on the actions of malicious internal and external actors.