The toughest thing about security is that it frequently depends on people not screwing up. Although many industries have specialized security and compliance requirements, they all face this same fundamental problem: no matter how good workplace training is, a worker can compromise security by emailing sensitive information to the wrong person, storing their login credentials on public devices, or even just setting a weak password.
When that happens, data loss prevention best practices can make the difference between a mistake that’s caught and corrected, and a leak that severely damages the organization.
The size of the problem. Companies usually focus on defending against external threats, but while many industries have gotten better at beating hackers, internal leaks have grown in severity. In 2014, a recent Kaspersky study revealed 29% of businesses report accidental data leaks, making them the biggest source of lost data. In 2013 alone, 27% of respondents reported losing sensitive data to an internal IT threat.
And the attacks are costly. In 2014, the estimated impact of breaches on enterprises increased by 14%, from $700,000 to $798,000. Data loss prevention best practices need to be adopted across industries, or the problem is going to continue to grow.
Here are the 6 types of businesses that need data loss prevention the most:
Healthcare has the most data breaches of any industry, with 84.4 million records breached in the first half of 2015 alone. Although the industry experienced 21.1% of data breaches, it accounted for 34% of records lost — one in three.
Healthcare makes a tempting target because it collects vast amounts of data. Health insurance providers routinely store the personal info (names, birthdays, Social Security numbers, etc.) of millions, or even tens of millions of people in a single database. Unlike credit card numbers, which can be cancelled, this healthcare data remains valuable even after the hack is discovered. It can be used for prescription fraud or identity theft, or even as a source of intelligence for foreign governments.
Unfortunately, data loss prevention best practices are hard to use in Hospitals and clinics that work with multiple doctors who aren’t their employees. Even when doctors sign business associate agreements (BAAs), they often fail to use encryption and other basic security precautions. Add in all the other parties accessing medical information (billing staff, insurance, payment processors, pharmacies, etc.), and leaks become almost inevitable.
Data loss prevention best practices and other security measures could make a huge difference. The hackers behind big medical breaches probably wouldn’t have been able to compromise tens of millions of records if the records had been encrypted. Medical companies need to control access with multiple encryption keys, using a tool like Virtru for Google Workspace. By limiting access, they can reduce the amount of damage a single hack can do.
The industry also needs to adopt easy-to-use HIPAA compliant email application like Virtru. Unlike healthcare portals, Virtru works with existing email accounts, allowing organizations to protect all their communications.
Virtru DLP gives organizations the ability to enforce data loss prevention best practices; they can force encryption on all communications, pop up warnings when protected information is being included in the body of an email, and restrict where patient records and other sensitive data is sent. Big healthcare organizations should consider mandating the use of Virtru DLP in their BAAs to make sure their partners don’t inadvertently compromise their data.
Nearly everything lawyers do is subject to strict confidentiality requirements, but many lawyers don’t adequately control access to their documents. Although legal industry breaches are underreported, the stats we do have are alarming. Of the 100 highest-earning firms in the country, at least 80 have been attacked by hackers since 2011. Another recent study shows that 7% of all firms have been hacked in the past three years.
Top law firms have information that makes them especially vulnerable. They may deal with trade secrets, corporate mergers, international law — or other bits of sensitive information that are vital to their clients. Powerful, unscrupulous actors, such as rival corporations and foreign governments, may be willing to invest considerable resources into stealing these secrets. When employed by high-security industries like finance, a law firm can be the weak link in the chain, exposing the very clients they’re supposed to protect.
The good news is most firms have taken steps toward boosting security; 79% of firms surveyed called cybersecurity one of their top ten risks, and the majority have taken some precautions, such as running secure offsite servers and data vaults (90%) and using internal controls to detect privacy policy violations (75%).
Yet, it’s not enough. The legal industry needs to begin employing security and data loss prevention best practices across the board. All law firms should mandate email encryption of all client communications, along with cloud encryption to secure stored documents. Finally, law firms need to understand that you can’t prevent mistakes through education alone. Virtru's DLP is the best way to prevent costly mistakes that can expose your clients.
Government organizations need to adopt data loss prevention best practices ASAP. Government has gone from accounting for 5.2% of breaches in the second half of 2014 to 31.4% in the first half of 2015 — second only to the healthcare industry.
The problem isn’t smarter criminals or lax security, per se; government is becoming a more frequent target, simply because there’s more to target. Many government agencies are just starting to put services online, creating big, poorly guarded collections of data. The OPM breach, where hackers stole the records of 22 million current and former federal workers, shows how serious the problem has become.
The breach illustrates how government agencies routinely fall short of data loss prevention best practices. Hackers used credentials stolen from a contractor to implant malware, which gave them access to the database. Obviously, the government should have been watching network traffic better — they were in the system, exfiltrating data for ten months — but poor encryption key management was also a factor.
Virtru allows users to restrict file access with multiple keys, giving each employee only the access they need to do their job, instead of leaving the whole system open to a hacker.
Data loss prevention best practices could have prevented the credentials from being stolen in the first place. Virtru DLP can stop employees from sending login information in emails or attachments, where it can be vulnerable to theft. Combined with strong password policies, monitoring and training, these techniques could have minimized the damage, or prevent the attack entirely.
The financial industry has probably done more to prevent hacking than any other industry, but there’s still work to do. In the first half of 2015, finance was responsible for 16.1% of records breached, or 143 breaches total — the second highest number, according to the Breach Level Index. Nonetheless, those breaches only accounted for 0.3% of breached records. Although financial services haven’t been able to prevent a number of attacks, their low numbers of breached records show effective use of data loss prevention best practices.
Unfortunately, the complexity of financial services make occasional vulnerabilities almost inevitable. From malware on payment processing systems to broken security on financial web portals to scanners on ATMs, there are many places hackers can attack. In addition, PCI regulations protect financial information more than email; trade secrets, login credentials, and confidential financial strategies can all be compromised by a careless worker.
Data loss prevention best practices can help the finance industry most by protecting login credentials and valuable data that doesn’t fall under PCI, such as business intelligence. Programs like Virtru can also boost PCI compliance by preventing employees from accidentally sending account numbers and other protected data over email.
Manufacturing is a bit of a security backwater; it hasn’t been targeted heavily in the past, and hasn’t been subject to the same disclosure laws as industries like retail, finance, and healthcare, so manufacturers have remained largely unaware of the threats they face. That’s all starting to change.
According to the Symantec 2015 Internet Security Threat Report, manufacturing tied for the industry most targeted by spear-phishing in 2014. Attacks are likely to increase as more hackers become aware of the valuable data manufacturers store. Innovative designs can be stolen and sold to competitors overseas, and internal business intelligence can give rivals an edge. Large manufacturers also have large employee databases, which are valuable to identity thieves.
Manufacturers need to adopt the data loss prevention best practices used in finance and other industries. They should use a solution like Virtru to encrypt data at rest, and restrict employee access to sensitive data. They need to start using Virtru secure email encryption as a matter of course to protect sensitive communication. Finally, they should protect critical data with detailed email policies, backed up by Virtru DLP.
Cloud computing providers affect everyone’s security. As more organizations move to the cloud businesses are depending on providers for compliance and security, as well as more business-specific services. Whether they provide IaaS, PaaS, SaaS or consulting, these organizations need to ensure they’re never the weak link by employing security and data loss prevention best practices.
Moving beyond old data security methods is part of this. Antivirus and firewall software can’t build an invincible wall around data anymore, because data that can be accessed from anywhere can be hacked from anywhere. Cloud computing organizations need to partner with Encryption as a Service organizations like Virtru. They need to model data loss prevention best practices both internally and to their customers, to make sure everyone is doing their part to keep data safe.
Data safety is crucial across industries. Encryption stops thieves from stealing financial data, healthcare information, and manufacturing intellectual property in exactly the same way, and with the same effectiveness. Virtru DLP uses military-grade encryption and customizable rules to help any organization enforce data loss prevention best practices for email. Combined with Virtru for Google Workspace and Virtru for Microsoft Outlook, it allows individuals and organizations to address vulnerabilities, and stay safe in the cloud.