Data Loss Prevention Trends To Watch In 2008

No doubt about it, 2007 was the year that high profile data breaches splashed across the front pages with as much sensation as paint on a Jackson Pollock canvas. TJX kicked off 2007 with the largest data breach in history -- a whopping 45.7 million records lifted when hackers infiltrated the company's network over a period of 18 months. And other large-scale losses, such as a phishing scam at a military research lab and the misplacement of two unencrypted U.K government disks -- followed in its wake.

Experts say this is just the tip of the iceberg. Since January 2005, the Privacy Rights Clearinghouse has identified more than 215 million records belonging to U.S. residents that have been compromised due to a security breach.

The costs of these and other breaches have weighed heavily on the organizations that are impacted. A recent study conducted by the Ponemon Institute determined that the total average costs for lost or exposed data grew to $197 per compromised record, representing an increase of 8 percent since 2006 and 43 percent since 2005. Currently, the average total cost for companies is more than $6.3 million per breach, which accounts for increased legal and public relations costs as well as lost business. And experts warn that the amount of lost revenue a company experiences in the wake of a data breach will only continue to grow.

"You lose 10 million records, it gets really expensive, really quick," said John Dasher, director of product management at PGP, a data protection company. "That's really staggering if you think about it."

To say the least, businesses are still reeling from the effects. "There's no question that all of these breaches are driving people to rethink their priorities in terms of security," said Ted Julian, vice president of marketing and security for Application Security. "People are saying 'let's step back and realize our data is under siege, what's of value that we need to protect and where is it?'"

As a result, security experts say we can expect to see significant changes within companies in regards to how they protect data and deal with its loss in 2008. With increased awareness, and a strong desire to keep their names out of the papers, many companies will be ramping up security technology, and investing in employee education and comprehensive protocol.

Yet, as businesses become savvy to data threats, attackers will continually find more sophisticated methods of attack. Security experts ascertain that databases will become prime targets, and that the Storm Worm will evolve yet again. Meanwhile, some of the biggest threats to data will come from inside the affected companies and often be unintentional.

"One of the things that makes data leak prevention so significant is that it's so hard to do. There's always a way around any defense you can think of," said Richard Stiennon, chief marketing officer for Fortinet. "It's a problem without an ultimate solution."

Data In The Spotlight

Even with increased awareness and more sophisticated security measures, experts say we can expect to see more data breaches grace the headlines in the upcoming year -- primarily because more companies and organizations will be required to publicly disclose them when they occur.

"Part of what we're seeing is the effect of disclosure laws," said John Thielens, vice president of technology for Tumbleweed. "The problems are being made visible. It's just now we know about it."

So far, 35 states provide regulations that require that companies or agencies to notify affected individuals, such as customers, employees, citizens, students and alumni, when their confidential or personal information has been lost, stolen or otherwise compromised. That number will likely grow to include all 50 states within the next few years, security professionals say.

"It's not that there are going to be more (breaches), they're just going to be publicized," said Faizel Lakhani, vice president of product marketing for Reconnex. "I think there're a lot of breaches today but they're not disclosed because they're not required to be disclosed."

In addition to personally identifying data, experts also anticipate that organizations will be required to disclose breaches of digital assets that make up shareholder value.

"There's all kinds of studies that show that customers don't want to do business with companies that have experienced a breach," said David Vergara, director of product marketing of data security for CheckPoint. "It's going to get painful if you're not able to control and protect that sensitive information."

As companies implement more policies and deploy comprehensive security technologies, other database vulnerabilities will be exposed with the increased scrutiny. "They change some policies, and 'oh my gosh,' those tools and policies and processes are shining a light on other breaches that would have gone unrecognized," said Dasher. "Connecting those dots can be difficult if they surface at all."

Next: Databases Will Be Targeted

A Goldmine of Information

While individual attacks will still be prevalent, experts anticipate that cyber thieves will increasingly hunt for sensitive or identifying information right at its source --the databases, which offer a veritable gold mine of credit card, social security and other personally identifying information.

As a result, database protection will emerge as a significant issue for enterprises in the upcoming year. Experts say the problem could present a huge challenge to large enterprises with dozens, if not hundreds, of databases that remain unknown to most security personnel.

In 2008, both large enterprises and SMBs alike will increasingly invest in database security initiatives, which should include technologies that monitor the information and minimize the amount of data leaving their secure networks, security professionals say.

"Otherwise you run yourself ragged," said Julian. "You could kill yourself trying to secure every single one of those avenues."

Social Networking Sites and Second Tier Attacks

Following the 2007 trend, social networking sites like MySpace and Facebook will continue to be prime targets for data loss, researchers say, as they become more popular and are increasingly used on workplace PCs. Bots like the Storm Worm and other Trojans will be the tools that hackers use to lift sensitive and personal identifying information from unsuspecting users.

And while financial institutions and other large enterprises will also be targeted, security researchers project that there will be numerous waves of attacks on smaller, second-tier businesses in 2008, as larger businesses accordingly adopt security measures that adequately challenge existing threats.

"Whenever you go downmarket, you're going to see more companies," said Vergara. "We're going to see (companies with) lesser household names."

Experts say that smaller businesses make attractive targets due to the fact that they generally don't receive high-profile media attention and might not be as equipped to protect against sophisticated attacks.

"There are many retailers that just haven't figured it out yet," said Stiennon. "They will be the newsmakers because it will be extremely embarrassing."

Next: Infomation Will Be Prioritized

Classifying Data

Most businesses often have more data than they know what to do with. In order to control copious amounts of information, companies will increasingly put resources into classification -- determining what data needs protection and what only serves a liability to the company.

"I think people will take another look at reducing the amount of data that they have," said Julian. "If it doesn't need to be on that system at all, let's just delete it. That will be another trend."

As a result, businesses will be a lot more likely to invest in security risk assessment and management in 2008, security experts say. For enterprises, this means creating data security czars and developing a system that prioritizes the most sensitive information in order to determine what data potential attackers are most likely going to target.

In addition to credit card and Social Security numbers, security experts predict that many companies will add intellectual property, as well as other information that could affect the value of its stock, to their list of sensitive data.

"The big thing holding up organizations is that they believe they know what the sensitive data is and they know who should and shouldn't see it. Every company's sensitive data is different," said Lakhani. "Every company has information that if it gets into the wrong hands would really hurt shareholder value."

DLP vendors will also introduce tools that will help companies learn where the most sensitive information is located, what information is leaking out of the company and to whom.

"It's not just data. You have to classify everything from a risk perspective," said Brian Cleary, vice president of marketing at access governance firm Aveksa. "Once you have those controls in place, the likelihood of losing that data goes down exponentially."

Accidental Agents of Catastrophe

While outside threats will always be a problem, studies have shown that the biggest threat by far to a company's information often occurs through simple human error. A recent survey conducted by RSA, a security solutions provider for businesses, indicated that some of the most significant breaches in 2008 will probably come from within the company itself and will likely be an accident. With even more data in motion, breaches will occur when employees perform risky, but well intentioned, behaviors, such as sending work documents to personal e-mail addresses, or accessing e-mail from a personal computer.

"We tend to think of information risk or data exposure as cloak and dagger stuff," said Sam Curry, vice president of product management and marketing at RSA. "But there's a simpler one, the innocent risk. It's stuff that could more easily be blocked and it's a fundamentally human thing."

The RSA study showed that insider job shifts also played a significant role in compromised data. An overwhelming majority -- 72 percent of respondents -- reported that their company or organization employs temporary workers or contractors who require access to sensitive information and systems. Increased outsourcing and offshoring will also open more avenues for data leakage, and security experts anticipate more security breaches will be ultimately be traced to outsourced or contracted workers throughout the year.

In addition, almost 25 percent of RSA's respondents said that they had stumbled into an area of their corporate network to which they should not have had access and 33 percent said they still had access to old accounts after switching jobs internally.

Subsequently, security experts say that it will become increasingly necessary for businesses to conduct periodic reviews of employment shifts in order to understand the various users, their roles and the type of information they can access. They also maintain that businesses will be required to closely monitor role shifts within a company and ensure that employees only have as much access to information as is necessary in order to perform job duties.

"Users should have no more access than is required to do their job, that's the model we should be thinking about," said Cleary. "The internal inappropriate access is much more common, and typically we see that stemming from an employee's role changing within a company"

"Everyone thinks it's about these Russian networks. They're out there, but it's also just human error," Cleary added.