Osterman Research: Why Your Organization Needs to Implement DLP

Why Your Organization
Needs to Implement DLP!
An Osterman Research White PaperPublished October 2008
SPONSORED BY
!
!
Osterman Research, Inc. . P.O. Box 1058 . Black Diamond, Washington 98010-1058Phone: +1 253 630 5839 . Fax: +1 866 842 3274 . info@ostermanresearch.com . www.ostermanresearch.com Why Your Organization Needs to Implement DLP
Why This Document Will Be Worth Your Time
The typical email user sends 41 emails during a normal workday, or roughly 10,250 emails each year. That means than in an organization of 2,000 users, 20.5 million emails will be sent. Add to this the large and growing proportion of email users who also use instant messaging clients and wikis, post to blogs, use personal Webmail accounts for business purposes, check email from home, send files through FTP systems, take work home and on the road on USB thumbdrives, transport corporate data on mobile devices, and use collaboration tools of various types. Now, consider that most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight. The result is that organizations are deploying a growing array of tools and endpoints for employees to become more efficient. And, at the same time, Organizations must they are creating a growing number of implement DLP systems to opportunities for information to leak out of an enterprise in unauthorized protect themselves against and potentially damaging ways. the growing array of threats There are many well-publicized (and they face from inadvertent some not-so-well publicized) examples of sensitive data that has been sent and malicious data leaks. through email and other tools in an authorized or mistaken manner. The vast majority of these data breaches are inadvertent, but the opportunity exists for malicious users to send confidential and sensitive data, as well. THE CONSEQUENCES OF DATA LEAKS CAN BE SERIOUS The consequences of a data breach can vary widely: a confidential memo sent by a senior manager to the wrong client may carry with it no negative ramifications; the client may simply delete the email and the breach will simply be forgotten. However, data breaches can carry with them very serious consequences, such as the revelation in February 2008 that that the Hannaford Brothers chain of supermarkets lost more than four million debit and credit card numbers to hackers. A 2007 study by the Ponemon Institute found that the loss of customer records costs $197 per record, and that the average business loss for a 1large organization that suffers a data breach is $4.1 million . The bottom line is that organizations must implement Data Loss Prevention (DLP) systems to protect themselves against the growing array of threats they face from inadvertent and malicious data leaks from email, instant messaging and other systems. This white paper is an update to a white paper we published on DLP issues in 2007 and is sponsored by Trend Micro. Information on the company is included later in this white paper.
1 Cost of a Data Breach, Ponemon Institute
©2008 Osterman Research, Inc. 1 Why Your Organization Needs to Implement DLP
DLP is Becoming Much More Important
MANY ARE UNAWARE OF THE PROBLEMS WITH DATA LOSS According to a survey conducted by Osterman Research during April 2008: . 100% of organizations have deployed anti-virus capabilities . 99% have deployed anti-spam capabilities . 96% have deployed anti-spyware capabilities However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don't provide true DLP functionality, only 49% of organizations have deployed these capabilities. Clearly, the data above suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27% of organizations in the same survey reported that during the previous 12 months data or information was accidentally or malicously leaked from their organization. One of the key reasons that organizations have not yet deployed DLP systems can be explained by the fact that many decision makers are not aware of the ... [download for more]