Waiting for a Breach to Deploy Data Loss Prevention Can Prove Costly

Security researchers note some businesses wait until after a data breach to implement encryption and data loss prevention.

For all the product development and technical advances in the data loss prevention market this year, some businesses still wait until they have been bitten by breaches before turning to encryption and DLP tools.

The chronic procrastination about deploying DLP by some businesses has been noted by security researchers. In a report by Enterprise Strategy Group released earlier this month titled "Extending Intellectual Property Protection Beyond the Firewall," ESG noted only 17 percent of respondents said their organization uses network-based DLP appliances. The study surveyed 109 North American-based security pros.

"Theres still an It cant happen here mentality, where companies do the minimum and cross their fingers, but once a breach happens, our research shows that they begin making investments in training and awareness and technologies, such as encryption, data leak prevention and other security products," said Larry Ponemon, chairman of the Ponemon Institute, a security industry researcher.

"A wise man once said that an ounce of prevention equals a pound of cure. Had these measures been taken proactively, some of these breaches might not have happened," he said.

A Ponemon Institute study regarding the cost of data breaches in the United States, released Nov. 28, reported companies often reacted to breaches by implementing or expanding their use of encryption and DLP products. Slacking off on encryption or DLP can cost big bucks, as the Ponemon Institute study found. An examination of 35 organizations that suffered data breaches during the past year uncovered an 8 percent increase in the average total cost of breaches over 2006, a price tag of $197 per record compromised in 2007.

Phil Hochmuth, an analyst at the Yankee Group, said Nov. 28 that enterprises turn to DLP after a breach occurs as a tourniquet to stop the bleeding and to show steps have been taken to stop future leaks.

"Security vendors need to approach customers with the idea of DLP as a more strategic component to an overall security architecture," he said. "The recent acquisitions of smaller DLP vendors by large security architecture companies could lead enterprises thinking about DLP, and installing data leak safeguards, before a major breach occurs."


Trend Micro acquires data loss prevention company Provilla. Read more here.

Kevin Bocek, director of product marketing at encryption specialist PGP, said organizations that experience a breach understand they need to protect the data itself and that encryption can protect the data wherever it goes. Mobility has created an additional risk for enterprises as corporate data leaves the office, he said, adding that compliance initiatives may be seen by some outside of IT security as a substitute for data security.

"Encryption must be automatic and operate based on policy. … Beyond this, encryption needs to be available throughout the enterprise," Bocek said. "This means that the range of encryption applications need to work with other enterprise systems such as DLP, archive, backup and more."

Given the potential losses, companies have a vested interest in putting the right barricades in place to prevent data breaches—both the accidental and malicious kinds. DLP vendor Vontu has sought to increase DLP adoption by encouraging companies to share best practices, sponsoring research and performing free risk assessments for businesses, said Steve Roop, vice president of products and marketing at Vontu, which is set to be acquired by Symantec.


Read more here about Symantecs buyout of Vontu.

"Two-thirds of [the cost per incident] was attributed to lost business as a result of the breach," said Roop. "No organization can afford those kinds of losses. Solutions exist today that can reduce the risk of data loss by more than 90 percent, both on the network and at the endpoint."


Check out eWEEK.coms for the latest news, reviews and analysis on enterprise and small business storage hardware and software.