The loss or theft of any sort of sensitive data (whether commercial, financial, medical or R&D) can have major consequences for a company. It is worth keeping such data under tight control.

When dealing with Data Leak Prevention issues, a clear distinction must be made between loss and theft.

Loss (results from a human, often unvoluntary mistake)

• Accidental loss
• Bad business processes (as when, for example, users are authorised to take sensitive data out of the company on unsecured mobile devices)

Theft (results from a malicious attempt to gain access to data)

• The user is infected by malicious software, such as a keylogger, while surfing on the internet. This is becoming increasingly common.
• Targeted data theft : infrequent, but potentially catastrophic.In that scenario, an internal or external entity (or entities) will make every effort to get hold of targeted data.

The thieves' determination is the main problem to handle when dealing with that kind of threat. It means that mere technical protections applicable for data loss will prove unsufficient.

All recent data theft occurrences show that, at one point in time, some people could access sensitive data within the framework, direct or indirect, of their professional activity. Their reasons for seizing this data went from greed to ethical motives.

Preventing Leaks

To deal with areas of potential data loss, companies must examine the areas of exposure within their business environment. Many companies don't know where their data lives (on servers, on laptops... Understanding who has access to data and where it flows inside and outside of the network are crucial to managing information.

Actions to take are:

• Classify data, so that their degree of confidentiality is clear and that they are handled accordingly
• List and examine all potential areas of exposure
• Evaluate suitable data leak prevention techologies, so that sensitive data can be monitored and protected efficiently
• Make sure of all employees' professional ethics (by way of security awareness, policies, sanctions)
• Detect and monitor abnormal behaviours in the staff

While sensitive information needs to be protected, too much control can limit employee productivity if they are placed under too much constraint. Effective leak prevention must keep information inside the company’s walls without preventing employees to do their job and disrupting normal business operations. This is where an efficient DLP solution will make all the difference, as it will make the difference between "false positive" and real alerts.