Irish organisations are at the European forefront for using data loss prevention (DLP) solutions, a European IT security study suggests.
Some 50pc of organisations surveyed in Ireland are using the technology – the second-highest figure of any European country that took part in the survey (after France) – and 22pc more than the European average.
By taking the necessary steps to identify sensitive data throughout the enterprise and protect it from loss or misuse, Irish organisations are better qualified than their European counterparts to meet compliance regulations, protect their brand reputation, and reduce risk.
According to the CA-commissioned study, Ireland’s focus on data loss is not limited to DLP. A compliance-oriented architecture (COA) can alleviate the problem of data loss, because it links the use of data to people through enforceable policies.
COA is defined as: “A set of policies and best practices, enforced where practicable with technology, that minimise the likelihood of data loss and that provide an audit trail to investigate the circumstances when a breach occurs.”
Effectiveness of a COA
To be effective, a COA requires identity and access management (IAM) solutions which allow organisations to understand people, their roles and responsibilities, and to define and enforce their privileges.
The survey reveals that 50pc of Irish organisations are using IAM tools – again the second highest percentage of any European country – and 26pc above the European average.
By comparison, only 27pc of UK organisations, 5pc of German ones, and 33pc of Italian organisations have deployed IAM. To be effective, a COA also requires the ability to locate and classify data. Some 85pc of respondents say they have a system to locate and classify data in place, compared with the European average of 50pc.
With more organisations adopting cloud computing to process and store data on an infrastructure managed by third parties, the need to apply security policies at the data level is stronger than ever.
The CA survey highlights that IT security is a key factor in enabling the use of cloud computing among Irish organisations (scoring 3.7 on a scale of 1 to 5 ).
DLP tools help with understanding the sensitivity of data and enable real-time decisions to be made about what is and is not allowed to be processed and stored in each cloud environment.
Employees should not be expected to understand all the issues, and may be completely unaware that copying a document from one location to another is moving it from an internally managed infrastructure to a third-party infrastructure.
Irish organisations also display strong awareness of the issues underlying DLP. Asked which area of regulation will impact them the most in the next five years, respondents state “national government” and “the European Union” (scoring 4.0 and 3.5 respectively on a ‘problem severity’ scale of 1 to 5).
Because so many Irish organisations are already using DLP, it is no surprise they rank the threats to data security lower than their European counterparts.
Malware concerns
Malware is their greatest concern, being ranked 2.2 on a scale of 1 to 5 , compared with a European average of 2.9. The other main threats cited by Irish respondents also score lower than the European average: use of Web 2.0 tools (score 2.2, European average 2.6), internal users (score 2.1, European average 2.7), and privileged users (score 1.6, European average 2.5).
All three of these are linked: it is the sharing of data between users via the internet that is behind many of the incidents involving sensitive data loss.
Besides providing the capability to accurately discover and classify data, an identity-centric approach to data security also helps police its use in a business context: enabling the monitoring and inspection of information, while enforcing pre-defined policies depending on the rights of the individual concerned.
Ultimately, organisations need the ability to strike the right balance between effectively protecting their critical information from abuse, while adopting flexible security measures that enable users to perform at their best.
Information control
DLP tools are also increasingly being used for information control purposes, especially as regulators continue to take more heavy touch enforcement actions in an effort to achieve more credible discipline and deterrence. This succeeds in further raising the need for ownership to the board level.
“The survey provides clear and timely evidence that an overwhelming majority of Irish organisations are using DLP technology to effectively support their compliance requirements, protect their brand value, and maximise competitiveness,” says John Power, Security Business manager, CA Ireland.
“As network perimeters continue to blur, it is clear that security needs to be applied to the data throughout its life cycle. Information needs to be understood, with policies applied to enforce who can use it and how,” Power added.
By John Kennedy
Photo: John Power, Security Business manager, CA Ireland