The role of user-driven security in data loss prevention

Abstract

The atmosphere was tense. Silence fell over the room. The keynote speaker strode confidently to the podium. Delegates from national governments, security agencies and other bodies from all over the world had come expecting something special. But even the most seasoned veterans got more than they bargained for. The event was the annual Black Hat security conference in the US. The year was 2009. And the speaker was Douglas Merrill, Google's former CIO and VP of engineering. The main point of his talk that day? Give end users more control of enterprise IT security and things will get more secure, not less so. Typically, some 90% of data loss incidents are accidental, not malicious. They continue to happen despite the use of Data Loss Prevention (DLP) technology by the organisations affected. However, out of all the IT security solutions deployed, DLP is arguably the most suitable for a user-driven approach. Many current DLP solutions rely entirely on automation at a central gateway to determine whether information may or may not be sent outside the organisation. While it may seem at first counterintuitive, involving end users in the process can dramatically improve the effectiveness of DLP schemes. At the same time it helps engender security awareness among staff and educates them in security policies, explains Stephane Charbonneau of Titus.