Gartner: Don't let suppliers set your DLP strategy

Businesses should plan a thorough data loss prevention strategy before talking to suppliers, Gartner has advised.

Vendors are likely to sway discussions to specific aspects of DLP, when a full strategy is required for the technology to be effective, the analyst house said.

DLP software monitors data that is in use, moving on the network and in storage, in order to prevent its unauthorised use or transmission. Gartner predicts it will become commonplace in European firms during the next six years, and said deployments were already being considered by many businesses.

"You've got to define your strategy first, then talk to the suppliers," said Paul Proctor, VP at Gartner. "At the moment businesses aren't labelling data properly, they don't know where it is, they aren't handling it properly, and their policies are poorly defined and enforced."

Speaking at Gartner's information security summit in London this week, Proctor outlined how businesses can define a complete strategy for DLP.

Organisations needed to first define their data types, followed by building a list of possible actions for that data, then defining policy, and finally negotiating with suppliers.

For defining data types, Proctor said, firms should categorise the information according to its nature and where it resides. For example, intellectual property could be split into drawings (then divided as CAD, PDF, and GIF), documents (split as structured, unstructured, labelled and unlabelled), and personal data (split by types such as credit cards or ID numbers, or by its application such as order processing or online sales).

For building a list of possible actions that could happen to the data, businesses should "boil the possible uses down to 10 to 15 situations", Proctor said. These could include data crossing the enterprise boundary; data stored in unauthorised places; the copying, printing, moving, saving, cutting and pasting of data; and business processes that could put the data at risk.

Common areas of worry for businesses included sales people stealing client information, and the offshoring of work involving critical intellectual property, he said.

Lastly, for defining policy, firms needed to set different levels of reaction according to how concerned they would be about the incident. The lowest stage could be alerting the business and recording the situation for future analysis.

The next higher stage would be intercepting the data to automatically encrypt it, move it from the risk area, or demand user justification for a particular operation. Above that, the particular operation could be automatically halted.

Proctor also highlighted Gartner's 'Magic Quadrant' of DLP suppliers, which covers those that are judged to provide the best product and service and to have the most innovative long-term business plan. Symantec, Websense and RSA were the only suppliers it placed in this category.

"A lot of people have deployed a sort of DLP for simple requirements, like protecting credit card data," he concluded. "But that isn't enough -- they need to protect all data including their valuable intellectual property."