DLP Technologies Not Sufficient for Enterprise Without User Buy-In

Companies need to think about educating users about security, the threats and the risks alongside traditional data-leak protection.

CANCUN, MEXICO €” Companies invest in security to protect their networks and data. But sometimes, they are not thinking about the human side of the security equation, Kaspersky Lab researchers told attendees at the company's security conference.

The €œHumans are the weakest link€ presentation on the second day of the Kaspersky Lab Security Analyst Summit focused on protecting organizations from costly and devastating breaches that are often the result of user ignorance. Companies are implementing data-leak-prevention technologies without really considering how users should be integrated into the process. €œUser awareness€ was critical, Valery Boronin, research director of the Data Loss Prevention (DLP) group at Kaspersky Lab, told attendees.

When customers evaluate data-leak-prevention technologies for their enterprises, they are looking for something that is easy to use, convenient, reliable and cheap, Boronin said. Instead, they wind up with platforms that are complicated, unreliable, expensive and inconvenient. He cited a Gartner report that found that organizations have difficulty understanding all the DLP options they have access to and wind up using a limited subset of available options.

Instead of data-leak prevention, organizations actually wind up with data €œluxury€ protection, Boronin said.

Even after deploying the most powerful DLP, encryption and other security technologies and hiring security experts, if the end-users don't understand the threats or know the rules, all the money spent is wasted, according to Boronin. Security should be a process and not just a product, according to Boronin and Vera Trubacheva, a system analyst in the DLP group at Kaspersky Lab and co-presenter.

End-users often do not know about information security policies, the threats they are protecting against and the mitigation technologies being deployed within the enterprise, according to Boronin. Recent surveys back him up, as users reported not being aware whether their organizations had any data-security policies, let alone what they were. Users are often the primary target in cyber-attacks, such as phishing and malware campaigns, and the attackers are succeeding because the users don't understand the threats or the risks, according to Boronin.

In a mock trial €œKaspersky Lab vs. DLP 1.0,€ Boronin and Trubacheva discussed how leaving out user awareness meant DLP alone was inadequate for protecting data within an organization.

€œThe weakest link in security is not the technology,€ but rather, the human, Trubacheva said. She noted that users tend to select simple passwords, or select complex passwords that they proceed to write on a note taped to the monitor.

Users need to be taught security basics, the policies and rules being implemented that they have to follow, and how they should respond when something goes wrong, Trubacheva said. The organization needs to be collecting information on what happened before and after the breach; that way they can make sure users are responding appropriately.

Recent surveys from the Ponemon Institute have shown how expensive data breaches are to the organization. A lost notebook can cost an enterprise more than $50,000, according to the research group. The costs would have been dramatically reduced if the users had been taught to work with the appropriate tools and informed of policies, Trubacheva said.