Data loss prevention (DLP) is a powerful security tool. So powerful that it’s tempting to try a broad, pervasive implementation. But this can backfire into a flood of false alerts — unless you first think through your DLP strategy:

1. Decide/define what data you need to protect and how. 
2. Understand your organization’s business workflow, including how it uses sensitive data and where your network infrastructure is susceptible to data leakage. 
3. Develop a security policy that establishes organization-wide standards and procedures for data ownership and usage — and includes the means to enforce those policies.
4. Seek out a DLP service provider who makes it easy for you to deploy DLP in cost-effective phases at your own pace.
5. Forge an implementation plan that nails down specifics concerning your network, endpoints, discovery requirements, and so on. Aim initially for basic DLP capabilities, usually focused on (select one) network, endpoint, or storage (discovery) requirements — and just a single policy (to avoid being overwhelmed with alerts). Once one capability is deployed and optimized, you can tackle the next one with confidence and efficiency.

DLP is not a box solution. To be effective, it must be deployed in the context of well-considered security policy and a willingness to assess and rank corporate data, apply user-privilege and access controls, routinely audit policy and data flows, and train employees about acceptable use.

A trusted security services advisor can help you map your objectives to what’s possible with DLP and guide you through a successful DLP strategy, planning, and deployment process.

Combine Fear, Uncertainty, and Doubt — and you get FUD, which has been on my mind lately because it so often involves attempts to thwart adoption of newly-emerging, better solutions. Consider these two tales of FUD:

The first tale, from the late 1880s, is often referred to as the War of Currents. It's about a powerful group of direct current (DC) supporters who fought fiercely against the new, more cost-effective alternating current (AC) with a range of FUD stunts, from electrocuting animals to building the first electric chair. DC's supporters eventually lost — because FUD can slow, but not stop, real progress.

The second tale is a contemporary one involving Cloud Services — and, sadly, concerns the same techniques used during the War of Currents: FUD.

Cloud can reduce IT spend without loss of capability (or security). Cloud can even streamline what IT can do for a business. That inexorable reality has some upset enough to try to scare folks away from Cloud Services so they'll stick with costly, arcane solutions.

If marketing chatter is making you unsure, talk to a trusted technology adviser to understand your options. Don't let your plans succumb to FUD.

In the wrong hands, the sensitive data your business depends on becomes a weapon wielded against it. And it’s happening more often every day. 

Reports of intellectual property theft and hacktivism abound, and 2011 has been widely described as “the year of the data breach.”

It’s not hard to see why.

In 2011 alone, according to the nonprofit Online Trust Alliance, 126 million data records were compromised in the United States.

More...

Targeted zero-day attacks are proliferating — and focusing more and more on smaller businesses because these tend to have weaker defenses. Some security experts say that if your security posture can be bypassed with custom malware, you’re probably already compromised.

More...

These days, your end-users have usually become the weakest link in your data security chain, so attacks are shifting from the server side to the client side, notably to mobile devices like smartphones.

More...

Over the last few weeks, I’ve taken a look at what you can do to boost your organization’s IT security. But it occurs to me that maybe I’ve put the cart before the horse.

So I’m going to spend the next few weeks delving into the sort of threats your business’s IT infrastructure faces. And I’m going to start with data breaches and the most recent big-headline example: Zappos (parent company is Amazon.com), which last month admitted it suffered a data breach that compromised 24 million customer accounts.

More...

Are you suffering from security fatigue? Find yourself getting irritated when your IT folks bring up yet another security issue? You're not alone. Lately I've been witnessing a good deal of security fatigue in the executive suite, and I'm not surprised.

Truth is, security remains a never-ending process. The easier we make it to move data, the more vulnerable it is to loss or theft. In fact, our Page 1 story this issue on Data Loss Prevention is all about how easy it is for too many employees to make off with sensitive, proprietary information.

But you're sick of hearing about it all, right? Well, maybe it's not security you're tired of, but the endless stream of checks you've been writing to buy security products that leave you less than secure.

As readers of this blog know, I've long been an advocate of buying capability rather than product. Want to be sure Salesman Bob, who's just resigned to go to work for a competitor, doesn't walk away with all your customer data to help him in his new job? Don't just buy a product. Look for a way to get the capability to protect your data.

You can't escape spending on security, but you can make each dollar work to deliver the functionality you need.

For quite some time, small and midsized businesses dared to feel safe from most malicious attacks — thanks to their relative smallness. Over the last couple of years, that’s been changing, because larger firms are tightening defenses and, as I’ve said before, the bad guys exploit opportunity.

Which is why shoddy IT security is a wide open opportunity for hackers to rip you off. 

So I’m finishing our list with two elements easily overlooked as you face the hassles of keeping up with criminal creativity.

#9 Educate your employees about security

More...