One of the problems, is lack of ownership – who is responsible for data protection. Smart said it is often a case of the IT department thinking it is the board’s responsibility and vice versa, when it in fact is the responsibility of both.
Another issue around data protection is lack of experience as this is a relatively new concept. Companies often do not have data protection expertise in-house, and who do you turn to for expert advice and how do you know that advice is sound? Smart admitted that even vendors like McAfee, tended to be experts in their own product offerings, but not necessarily have a full overview of everything on the market.
Smart also said there is a lack of regulatory enforcement of data protection policies and regulations. In some countries it is enough for a company to have customers in that country to have to comply with its data protection laws – but how can it be enforced? Smart added that data protection is not enforced to a degree where people would pay attention, but that this is now changing. One example would be the new powers bestowed on the UK Information Commissioner’s Office (ICO) from April 2010.
Finally, Smart said that data protection is facing the problem of a lack of integrated technology. Some organisations have a lot of security solutions, but no solution to manage all of them.
Smart told the RSA Europe audience that these hurdles are the reason why data protection has not been adopted faster. However, the drivers for data protection are getting stronger and harder to ignore as companies are starting to be held responsible for their data losses.
Data protection solutions
The way to go about data protection is to focus on the data and “protect the data all the way”, Smart said.
You must “know what data you have and where it is before you can protect it – how does it move around?”
Organisations must review their data usage policies and data risk assessments, which will help them to revise data usage policies and to build a business case for data protection. This in turn leads to up-to-date data usage policies, and top level visibility and support – which again lead to budget for data protection.
Businesses must also set realistic goals for data protection implementation, Smart added.
Data protection and mobile devices
With an increasingly mobile workforce, data protection is not only about protecting data at rest. One example is employees downloading work files onto flash drives – not out of malice, but in order to finish of work at home. Organisations need to know what is plugged in and have a content aware data protection solution to avoid data loss, Smart said.
There is also the problem of virtual vectors like webmail, blogs and social media and lost or stolen devices such as laptops.
Smart recommended having integrated security, full disk encryption, central device management, and content inspection for automatic policy-based selective encryption of emails, to address some of these problems.
But in the end, the main message for protecting data, is “focus on the data!”, Smart concluded.