Data protection in small companies: priority or "minor matters"?
Büyük şirketlerden sık sık gizli bilgi sızıntılarını ve güvenlik olaylarının risklerini en aza indirmek için aldıkları önlemleri duyuyoruz. Ancak aynı zamanda medya, küçük işletmelerdeki bilgi güvenliği konusuna neredeyse hiç yer vermiyor.
Küçük şirketler bilgi güvenliği sorunu konusunda endişeli mi? Eğer öyleyse, bu sorunla nasıl başa çıkıyorlar? DLP sistemlerinin (Veri Kaybı Önleme) küçük işletmelerin güvenlik devrelerindeki rolü nedir? Bu soruları yanıtlamak için bilgi güvenliği ve küçük işletmeler alanındaki uzmanlara başvuruyoruz.
Küçük şirketlerde çalışan izleme yazılımı kullanımı konusuna geçmeden önce, tam olarak hangi bilgileri korumak istediklerini bulmak önemlidir. Greatment Inc. iş geliştirme müdürü Stephen Lawson bu konu hakkında ayrıntılı olarak konuşuyor:
"In our IT age the problem of data protection is relevant for pretty much every participant of information exchange process. This certainly applies to large and medium-sized companies and small businesses, individual entrepreneurs and regular people. Security’s cornerstone is a correctly defined and classified object of protection. This can be data (for example, the company's development plans, financial reports, used technologies description, inventions), information systems (HR, CRM, ERP, BI, financial and manufacturing systems), business processes (manufacturing technology), and even people (employees with unique skills, key players). Some objects of protection are also defined according to regulatory requirements (e.g. banking secrecy, personal data). The choice of protection methods and measures depends on understanding of what needs to be protected, from whom it must be protected, where it is necessary to protect it and what consequences improper protection can lead to. Completeness and quality of simulation of security threats, as well as necessary measures will determine the amount of company’s incurred expenses in the long run. Regardless of company’s size, setting up protection against security threats should be carried out systematically, meaning, it should be started with developing the set of measures that allow protection against threats depending on the degree of the negative consequences that may ensue. It is necessary to implement data protection and create organizational processes which will allocate responsibility to certain people in the company. For example, in case of very small companies we talk about creating several information security regulations, installing anti-virus software, encrypting critical data and instructing staff on how to work with sensitive information."
Çeşitli verilerin korunması için şirketler bir DLP sistemi uygulayabilir. Bununla birlikte, uzmanların görüşleri, DLP'lerin kullanımının küçük işletmeler durumunda haklı olup olmadığı konusunda bölünmüştür.
Bruce Sandoval
, Lider analist, Symbolitics:
"There is the need for DLP systems in small companies: reality shows that leakage of confidential data may take place in a company of any size. Additionally, there is a huge number of data types. Trade secrets, unique designs, technological specs - such information is usually protected by large and medium-sized companies. Small businesses often deal with personal data, i.e. travel agencies, insurance companies, law firms - they have to worry about the safety of acquired information.
That’s why DLP is necessary not only in corporations but in companies of all sizes. Of course, DLP system is quite expensive software. For smaller companies, this is a critical factor, and they are looking for more affordable solutions. That is why current market experiences boost in popularity of products for employee monitoring. These systems help to maintain staff discipline, find problems in business processes, and partially solve the problem of DLP. "
Ethan Cook
Profesyonel barındırma sağlayıcısı Starrhost'un Bilgi Güvenliği Departmanı Başkanı:
"Ideas about information protection are always in demand, at any level. Despite the fact that the competent use of DLP solutions ultimately leads to a reduction in costs and expenses, small businesses prefer limit security measures to making organizational arrangements and work with them until the breaking point."
Patrick Simmons
Curso'da Bilgi Güvenliği Başkanı:
"Unlike classical security measures such as firewalls, antivirus software, cryptographic protection, DLP solutions are still in process of developing and trying to attract consumer’s interest on the market. There are several reasons for this. Firstly, most of the solutions of this kind come with significant expenses for purchasing (including hardware component), for implementation, as well as for hiring and training personnel operating the DLP system. All of this eventually leads to DLP being economically unfeasible for a company. Secondly, it is the lack of public awareness of the existence and capabilities of the DLP systems, as well as still urgent problem of lack of attention to the problems of ensuring information security. In particular, this is relevant for small businesses which are often characterized by the lack of dedicated security specialists, frequent use of personal devices by employees for solving work-related problems, and so on. In order to implement mechanisms of preventing leaks of confidential data small businesses can use DLP as a service provided by specialized organizations."
Dennis Barnett
Estation A.Ş. Finans Direktörü
"Small and medium-sized businesses are often interested in DLP solutions, but do not always understand their actual features and the conditions necessary for their effective work. Requirements that small companies apply to such software are usually unrealistic. If you do not take into account exceptional cases where executives are willing to personally look through almost every email and other forwarded data, small companies tend to expect DLP systems to detect employees’ unscrupulousness "themselves": cases of bribery, business data transferring to competitors, and so on. But no DLP system has its own intelligence and it cannot judge the value of collected information. All control parameters must be entered by the users of the system (as a rule, it is company’s economic security service). It requires at least a minimum of technical expertise, understanding of company’s business processes and value of various data, adequate risk assessment, a certain understanding of the psychology of potential offenders, constant monitoring and adjusting (in other words, spending a lot of work hours). DLP is only a tool in the hands of security personnel. And, as any sophisticated tool, DLP systems have certain requirements to the level of qualification of the person who uses it. "
Gregory Sandoval
Sistem Yazılımları Ürün Geliştirme Bölüm Başkanı:
"Small businesses do not often use DLP system, since these companies usually do not have sufficient funds. Moreover, in small companies people usually know each other well and relationships at work are usually trusting. In the process of development and with an increase of employee turnover companies start thinking of employee monitoring and DLP systems. This usually happens when a company grows to 200-300 PCs. As a result, potential buyers consider mainly simplified system, where DLP is merely an addition rather than the foundation."
Kenneth Aguilar
Security code LLC Pazarlama Müdürü:
"The demand for DLP systems and other means of information security in small businesses is quite limited. This is due to the fact that the introduction of such system requires not only investments, but also a certain level of understanding of information security issues. Management should clearly understand what data is confidential, who should have access to it, and who shouldn’t. This problem goes far beyond IT-administrator’s area of responsibility and competence. Despite that administrator is usually the one involved in information security in small companies. Small businesses are also characterized by flexibility and high sensitivity to the cost. Therefore, the introduction of fully-functional types of DLP solutions almost never happens. But if a company acquires a multifunctional workstation protection system that incorporates some DLP features (usually USB control), then these features are used."
Christopher Hughes
, Purposeidler Proje lideri:
"Our company believes that it is not data that needs control (as in classic information leakage prevention systems) but the employees who work with this data. Traditional control systems have a number of disadvantages. Firstly, they are heavy, complex and expensive to implement. So, they are absolutely not applicable for small businesses. Secondly, classic DLP systems monitor working with data. Monitoring is carried out for specific files (by filename) or data in company’s information systems by some data pattern (for example, XXXX-XXXX-XXXX-XXXX for credit card numbers). So if you simply change the format of the data, then the DLP system will not be able to keep track of it. For example, if you change the number of credit cards from XXXX-XXXX-XXXX-XXXX to AXXXX, BXXXX, CXXXX, DXXXX, the DLP system will not deem it important and it will go amiss. Thirdly, constant monitoring of data use overloads employees’ PCs and company’s resources. If DLP system checks all outgoing data, then any failure would result in company’s isolation."
Bazı uzmanlar küçük şirketler arasında DLP sistemlerine olan talebe dikkat çekerken, diğerleri bu çözümlerin bu segmentte popüler olmadığını düşünüyor. Büyük ve orta ölçekli şirketlerle karşılaştırıldığında küçük işletmeler arasında DLP'ye olan ilginin ne kadar büyük olduğunu anlamaya çalışalım.
George Soto
, Genç Girişimciler Kulübü Başkanı, CloudSolutions CEO'su:
"DLP solutions will be useful for both large companies and for small businesses, but only as one of the preventive measures to information leakage. Such programs are good for enhancing IT literacy among employees because their very essence involves assessing the risks of information leaks. For that activity in the channels through which data can be leaked is analyzed: e-mail, instant messengers and web directly. On the basis of the content and context (protocol, activity, type of application, etc.), the program further generates security policy, according to which it blocks messages, reports violations and so on. It is important to understand that, unlike firewalls, DLP solutions do not block data transfer completely, but instead try to analyze human activity in the network, which leaves companies with even higher probability of data leakage."
Ethan Cook
, Genç Girişimciler Kulübü Başkanı, CloudSolutions CEO'su:
"All companies have the interest for protecting information. Approaches to the implementation of DLP solutions can be different, but "loss of information" in the 21st century is almost equal to "loss of money", so it is logical to assume that the idea of minimizing such risk of losses exists in every company, regardless of its size."
Patrick Simmons:
"Companies’ interest in DLP systems depends not only on the scale of their IT infrastructure and the volume of processed data. Primarily, of course, it depends on the existence of information, leaking of which can cause damage, and on presence of current threats. Thus, the interest in DLP can be equal in both large and small companies. But large companies have more opportunities and abilities to use such systems."
Keith Burton
, Head of Information Security Department of "Expectronica" (I-Techio Inc.):
"First of all, companies with sufficient funding regardless of the size are interested in DLP systems. But keep in mind that DLP is just a tool, and whether it will really be used for the control and prevention of leaks or will remain only a “blueprint” depends on many factors: personal ambitions of managers responsible for information security, experience of project team and clear definition of problem. Quality implementation is crucial for the effectiveness of control and prevention of leaks. It is worth noting that the very scope of DLP systems is very delicate, implementation of such projects in many companies is slowed by bureaucratic and legal technicalities and high reputational risk."
Christopher Cole
SenseBox'ın Ticari Direktörü:
"DLP solutions are used mostly by large business. And these systems were initially designed precisely to meet the requirements of complex corporate machine. But the need for data protection is the same for everyone: from startups to large businesses. And what important here is not the decision itself on the level of software that business owners use, but approach to security.
DLP sistemleri başlangıçta güvenliğe paranoyak yaklaşım olarak adlandırılabilecek bir yaklaşımdan ortaya çıkmıştır: herhangi bir eylemi imkansız hale getirmeye veya engellemeye çalıştığımızda. Örneğin, bir alışveriş merkezinin girişine köpekli bir güvenlik görevlisi, bir turnike, bir metal dedektörü koyduğumuzu ve her alışveriş yapan için üst araması yaptığımızı düşünün. Bir yazılım ürünü olarak DLP de buna benzer bir şeydir. Medeni ülkelerde insanlar yasalara, polise ve mahkemelere güvenir. Ve çit inşa etmeye gerek yoktur - her yere gidebilirsiniz. Birisi yasaları çiğnemeye cüret ederse, olağan savunma mekanizması tetiklenir: polis gelir ve kolluk sistemi cezanın kaçınılmazlığını sağlar.
Nobody prevents you from restricting access to confidential information for certain employees in the form of a law, a clause in the employment contract and tough sanctions. If these sanctions and punishment exceed the benefit from the potential information theft, most employees will give up the idea of stealing."
Dennis Barnett:
"In my opinion, large corporations are more interested in using DLP solutions, they have a better understanding of what such a system might be useful for and have sufficient resources for the effective use of DLP systems. Recently on the market appeared solutions that utilize scientific advances in artificial intelligence, machine learning and big data analysis to facilitate the work of security professionals and reduce the level of their qualification requirements. Time will show how these solutions will contribute to the wider distribution of DLP systems among small and medium-sized businesses."
Billy Herrera:
"Medium and large companies (especially if it is the financial sector) are more often interested in the use of DLP systems. For a growing company it becomes increasingly difficult to control transactions and privacy of employees. And in this situation, you can easily miss information leak or that some employee (who for some reason lost his or her loyalty) intents to harm your business. Unfortunately, no system is able to completely prevent direct attacks on corporate data, but it can significantly complicate the process, making leaks less profitable and more risky for the offender."
Thomas Hicks
KRAKE'de Bilgi Güvenliği Başkanı:
"All market participants (large corporations and SMB-segment) are interested in DLP systems because information leakage risks are present in all companies. At the same time data leakage consequences for SMB-sector may be much more devastating than for large corporations. For the former a leak can easily result in the loss of key competitive advantage and, consequently, in closing of business. In the case of a large corporation it is most often a question of reputational and financial losses."
Kenneth Aguilar:
"The interest in using not only DLP systems, but also any other information security solutions depend on the size of the company, but more so on the level of its maturity. The more a company is aware of the value of its data (for itself and for its competitors), the more consciously it implements information security strategy with regard to data protection. The list of necessary actions in this case consists not only of introduction of means of information security, but of reforming business processes in order to reduce the risk of intentional leak or accidental data loss.
And only when business processes, in which DLP system will be installed, are defined, then its implementation begins to be affected by company’s size. It is obvious that a large company can spend more money on such a project, but the technical requirements will also be higher."
Uzmanların görüşleri yine ikiye bölünmüştür. Bir yandan, bazıları şirketin büyüklüğü ile DLP kullanımına olan ilgi düzeyi arasında bir bağlantı olmadığına inanırken, diğer yandan bazı uzmanlar bu tür sistemlerin en çok büyük şirketlerde talep gördüğüne inanmaktadır. Ancak her iki durumda da uzmanlar, bilgi güvenliğini önceliklerinden biri olarak gören ve bu nedenle DLP sistemlerinin potansiyel kullanıcıları olarak kabul edilebilecek küçük şirketler olduğu konusunda hemfikirdir. Peki küçük işletmelerin bu tür sistemler için gereksinimleri nelerdir?
Bruce Sandoval:
"Large customers generally choose "smart"and expensive DLP solution. Small companies are usually willing to work with these systems in the "manual" mode, without the possibility of automation, if this solution is much more affordable. For this reason, in the small and medium businesses all incidents are investigated in retrospect."
Ethan Cook:
"If you omit the obvious issue of the software price, which in this segment of information security is the most important one, and focus on functionality, then you need to give preference to more "omnivorous" security software. It often happens that small companies cannot afford to unify elements of the information system and built it on literally what is at hand. Of course, the consequence of such an approach would be the diversity of equipment used in the IT system."
Patrick Simmons:
"The list of requirements that companies apply to DLP systems is primarily based on the specific features of company's IT infrastructure including the used methods of information transferring as well as its volume. This allows the consumer to determine data transmission channels that will be controlled by DLP system. The most popular control features are monitoring of e-mails, removable drives, URLs, instant messengers and printing. Also, for many companies formation of the DLP system reports is often important as it is the key tool for demonstrating the effectiveness of the implemented DLP system to executives."
Keith Burton:
"Representatives of large businesses usually try to achieve specific objectives with the help of DLP: such system is likely to be integrated into already established IT landscape with a large
amount of other components and solutions for information protection. In contrast, the SMB-segment wants to see DLP solutions as a sort of "multi tools" that solve several problems related to information security. Another important requirement is the ease of implementation and minimum support personnel necessary."
Gregory Sandoval:
"The main requirement from smaller companies is the minimum price. However, developing DLP systems can be quite time-consuming and require constant updating."
Billy Herrera:
"Small companies are trying to buy low-cost solution with an extremely easy deployment that combines the functionality of multiple solutions. They focus on anti-virus solutions, traffic and employee productivity control systems, which often contain simplified DLP functions. In small companies, information protection is often not included in operating costs."
Thomas Hicks:
"Among the main requirements that small businesses have for DLP solutions is affordability, ease of implementation and support, as well as compliance with legal requirements. From the perspective of functions small business expects of DLP systems to be capable of monitoring printing and users’ email correspondence (both within the company's network, and with the use of the Internet postal services such as gmail.com or mail.ru), blocking file transfer to external drives or file sharing services and analyzing employees’ use of social networks and instant messengers."
Kenneth Aguilar:
"Small companies have very limited resources. This applies to information security budget and to the number of specialized personnel. As a rule, small companies hire one or two IT specialists who solve all problems related to IT and information security in varying degrees."
Bu konuda uzmanlar neredeyse hemfikirdir. Küçük şirketler için bilgi güvenliği yazılımı seçimindeki ana faktörler maliyet ve uygulama kolaylığıdır. Bunun nedeni, büyük şirketlerle karşılaştırıldığında küçük işletmelerin sınırlı mali ve insan kaynaklarına sahip olmasıdır. Bu durumun sonucu olarak, BT departmanının bir veya iki üyesi tarafından kurumsal altyapıya kolayca uygulanabilecek düşük maliyetli çok işlevli bir yazılım edinme arzusu ortaya çıkmaktadır.
Ancak, bugün piyasada işletmenize bilgi koruma konusunda yardımcı olabilecek oldukça işlevsel bazı programlar bulunmaktadır. Ve hatta bazıları ücretsiz olarak kullanılabilir.