Forget everything you know about data loss prevention

High-profile data breaches continue to make headlines, impacting corporate reputations and bottom lines. Organisations are investing heavily in solutions to monitor, document and often prevent sensitive information from leaving a building without authorisation. The problem is many are viewing the problem the wrong way.

Traditionally, organisations have approached data loss prevention by focusing on "data in motion" – information that leaves the organisation via e-mail or SMS text messaging, or being copied to removable media. Some products focus on the gateway, or where the network meets the internet, while others focus on the end point, usually an individual user's laptop.

These solutions have been largely successful in protecting data in motion, but they do absolutely nothing to protect data at rest.

While companies have extensive protections in place to prevent criminals from accessing data at rest on a server, they neglect the data that is at rest on an employee's laptop.

There are numerous products on the market that make it easy for a thief to bypass the user's password and access whatever is on the hard drive. Far too often, employees take the initiative, or are asked to store confidential information on their laptops.

In February 2007, software security firm McAfee undertook research called Inside Threat: A data loss disaster within the US business community and found that investments in solutions to protect corporate data from external threats and hacking are being undermined by the failure by businesses to fully communicate company security policies and lax employee behaviour.

Encryption must be a key consideration of any data leakage protection initiative. This is especially important when talking about lost laptops. Technology has progressed, and now "on the fly" encryption is available, resulting in no system performance degradation.

The bottom line is that businesses need to take responsibility for monitoring, evaluating and updating their security solutions to take into account employee behaviour as well as external threats. While it is crucial that organisations have procedures and technologies in place to prevent a breach and protect the data, behaviours also need to change.

Faisal Khan is the Senior Security Consultant, McAfee Middle East