Possibility of data theft and breach of confidential information have been a cause of incessant sleepless nights and many a nightmare for CIOs. And, why not? Data loss not only means financial loss but also loss of reputation and brand erosion that can have a long-term impact. Something that no organisation can afford, even while they may fail to quantify the possible impact of data loss. The Citibank Fraud case unearthed a few months back is a case in point. A case of fraud involving diversion of depositor’s money in just one of the bank’s branches in Gurgaon had far-reaching ramifications on the conglomerate globally as the seat of the global CEO shook under the controversy.

Technology has played a critical role in securing enterprises’ data and information assets. However, all the jazz aside, security is as good as the intentions of its internal users. Data Loss Prevention tool or DLP as it’s commonly known targets that very link in the entire security chain, namely the human element, though indirectly. Knowledge of being monitored plays a deterrent to people misusing or mishandling data. DLP targets this very psyche, as insurance major Aviva also realised. According to Rajiv Sehgal, CIO & Sr. VP IT – Aviva, "It's such a deterrent for people to know that things are being monitored." The company, a joint venture between the Dabur group and U.K's Aviva plc, was the first among insurance companies in India to adopt DLP. The solution provided by RSA to Aviva covers around 8,500 nodes or user end-points across 177 locations. While the actual deployment of the solution lasted less than a month, it was preceded by one month of Proof of Concept exercise along with RSA.

Having been live on DLP for over six months, Aviva has already started seeing benefits in terms of ability to proactively monitor any kind of data malpractice or breach of data. What it means is that people are conscious. However, Sehgal is quick to add that DLP is not about policing the employees and this has been made very clear to the internal users.

Sehgal further points out that he is not sure whether one can always put a tangible number to having or not having a DLP solution. "We looked at it in a way that it is the right thing to do for our customers. Our focus is on security," he adds. Besides, it also caters to compliance and regulatory requirements and provides an audit trail and traceability to track down any data breach. DLP allows Aviva to understand what data is travelling into the network as well as out of the network and what’s going on with the data. This helps security measures to be put in place, both reactively and proactively. The data covered includes email traffic, internet traffic, file attachments, data on any USB drivers or flash drives being plugged into the system, etc.

Being in the financial services industry, privacy and data security are paramount and of prime concern, factors that also drove Aviva's DLP deployment. "For a company like us, reputation, protection of customer data, privacy of our data is critical to us," explains Sehgal. Arun Dhaka, Enterprise Sales Manager – RSA India & SAARC, further confers that this realisation is dawning upon other insurance companies as the need for stringent data protection measures is now being felt in India’s insurance sector. "Maintaining confidentiality of customer information they hold is one of the biggest responsibilities and challenges that the insurance companies face, besides ensuring compliance to the regulatory obligations," he explains.

The visibility that DLP provides into the movement, both inflow and outflow, of enterprise data may be unparalleled, but it’s equally important that the employees do not see it as a move by the management to breathe down their neck. This makes the task of the CIO even more challenging to get DLP off to the right start. And, getting the user buy-in and acceptability across all levels will take more than sheer ROI numbers and hard core cost-benefit analysis, as building employee confidence and trust will hold the key.

DLP Implementation Tips

Both Sehgal and Dhaka share a few tips and guidelines to help enterprises ensure a successful and effective DLP deployment.

• Change Management
  
  The first and the most fundamental guideline that is true for any deployment - following the right project management practices, including change management. Buy-in from the top management and change management has to be very much a part of any implementation. Driving DLP across the enterprise, one needs to ensure that employees adapt to change, and while DLP acts as a deterrent for any data theft or data misuse malpractice, its critical to ensure that employees don’t take to it as a tool for policing them.
  

• Data Classification
  
  It’s critical to have the right data classification in place, i.e. classifying the data as risky, non-risky, confidential, non-confidential, etc. To know what one needs to protect, one first needs to classify it as confidential or non-confidential. This process should be done either before buying the DLP solution or do it as part of the implementation exercise.
  

• Getting Keywords Right
  
  Developing a comprehensive library of keywords, database packets to track, monitor and restrict is an ongoing process. The keywords will continue to evolve as one uses the system.
  

• Be Patient
  
  One has to be a little patient as DLP has its own learning process. Also, perhaps some degree of customisation is required for each organisation.