CICRA Consultancies Ltd. recently announced that for the first time in Sri Lanka it is introducing Data Loss Prevention (DLP) solutions. CICRA has been appointed Master Reseller of world’s leading DLP solutions provider InfoWatch Group, Russia owned by Kaspersky Lab Co-Founder Natalya Kaspersky. Following are excerpts of an interview with CICRA Director/CEO Boshan Dayaratne on DLP solutions:

InfoWatch Group of Companies Deputy to CEO Vsevolod Ivanov exchanging the Master Reseller Agreement with CICRA Director/CEO Boshan Dayaratne while CICRA Executive Director Vasana Wickremasena and ICT Asia SDN BHD Managing Director Vigneswaran Rajashekaran look on – File photo


Q: What is Data Loss Prevention (DLP)?
A: Whether it is intentionally malicious or inadvertent, data loss can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation
Many businesses neither monitor nor control outgoing electronic communications such as email, instant messaging, website forms, and file transfers. This creates the risk of confidential information falling into the wrong hands
The exposure of sensitive information can result in fines, bad publicity, loss of strategic customers, loss of competitive intelligence, and legal action. Businesses should police all electronic communications to keep intellectual property, financial information, patient information, credit card data, and other sensitive information safer.
In simple word DLP is a system or strategy that makes sure that the end users do not send sensitive or critical information outside the corporate network. It’s a solution that is designed to detect potential data breach or data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use, in-motion and at-rest.
Q: How have DLP solutions evolved to tackle these impacts?
A: DLP solutions came a long way from being a technology for content filtration to become a complex solution including broad set of data analysis technologies, data categorisation and consulting. DLP is not only a technology solution but it is a process.
The first essential stage is understanding what information is confidential in the company and thus must be controlled and protected. If we don’t know what we are looking for we simply can’t find it. That is why CICRA does not offer DLP software as is, but also provide information analysis and categorisation, which we call Pre-DLP.
Q: What do you think should be the main considerations for companies when it comes to DLP?
A: DLP is actually a very complex class of product because it’s not simply a software as such. When we talk about DLP we are not talking about a solution. We’re talking about something that companies should analyse deeply. What does a company want to achieve? What does it want to protect? And what kind of rules will it apply? When I hear a company says that it has implemented DLP because it has bought a certain product, it sounds very strange to me. In my opinion, there is a need to undertake a huge amount of preparation work before we even begin to talk about any DLP implementation.
Q:Preparation can involve discussing how this information will be treated – will it cease to be confidential after three months, for example. We need to decide exactly who will be allowed access to this information. Will we block information or simply monitor it and then investigate any incidents?
A:At CICRA we have created a process for DLP, which consists of three steps. First, we have the preparation stage, called pre-DLP. Our consultants talk to the clients, analysing the customer needs and deciding what needs to be done. The second stage is the easiest stage – the implementation of the software. The third stage is where we identify any violations, eliminate the incidents and bring those responsible to justice. For this, we must collect the relevant information that can help us investigate the incident thoroughly and prepare evidence to put before the courts.
Only when the preparation has been completed thoroughly can you expect a DLP implementation to work well.
Q: What sort of information should be the best protected?
A: That varies depending on the company. Of course the type of confidential information depends on the industry where a particular company operates. For Financial market, for example, confidential data are customers’ personal data, credit card information, etc. For manufacturers, technologies and know-how are the most sensitive data. But in any case each company has its unique set of confidential information. That is why generic DLP solutions are often useless.
Another challenge is that 80% of data in modern companies is unstructured and spread over different documents, files and storages. Thus companies do not know which of their data are confidential and therefore can’t protect them efficiently. This is why CICRA engaged in the Pre-DLP stage to support such companies for data classification before the DLP solution is implemented.
Q: What steps can companies take to protect themselves against data leaks?
A: We are certain that only a multi-layered concept for data protection can work. This includes organisational measures, access rights management and data classification. Only then can the technical solution for data leakage prevention work. This approach requires significant joint work with the customer, high qualification of partner professionals, and a long-term integration process. That’s the only way DLP can achieve high results and record about 90% of efficiency.
Q: Do DLP solutions have to go hand-in-hand with other security solutions such as anti-malware and firewalls?
A: DLP solutions are for internal security protection while anti viruses, firewalls and anti-malware are oriented more towards external threats. There can be some overlapping but quite rare because the implementation process of internal protection totally differs from external. Today there are no really integrated solutions for internal and external threat prevention.
Q: Which companies are most at risk from data leaks?
A: Of course, the companies with the most valuable information are most at risk. First, there are companies which have big volumes of personal data such as mobile operators, big online retailers, authorities working with citizens, etc. Second, there are companies which possess different trade secrets such as manufacturing, oil and gas, etc. Meanwhile, Banks, big insurance companies, governmental structures also operate with highly sensitive data. We can add to the list any other company that considers its information valuable.
Q: How do the security needs of SMBs differ from the needs of enterprises?
A: They usually want more integrated solutions than enterprises, which usually employ security managers. These managers enable the choice of different solutions from different security vendors. Small companies don’t like that because they don’t tend to have the resources to manage that kind of thing. They look for something simpler. Smaller companies also often use cloud to help them with security. Enterprises may use private cloud but they will certainly never use public cloud because they just don’t trust it.
Q: With whom did CICRA partner to introduce the DLP solutions in Sri Lanka?
A: We have partnered with InfoWatch Group, Russia. Infowatch is a group of innovative technology companies focused on developing and providing cutting-edge comprehensive technologies and services dedicated to data loss prevention and protection, intellectual property protection, customer experience and reputation management, as well as risk management and compliance solutions. InfoWatch is owned by Natalya Kaspersky, co-founder of Kaspersky Lab. They have more than 50% of Russia and CIS market in the corporate information security sector. They also work in Western Europe, Middle East and Asia. CICRA has been appointed as the master reseller for Sri Lanka.
Q: Compared to other security threats how threatening is data leakage for organisations?
A: Data leakage means company employees taking confidential information outside the corporate perimeter. Data leaks cause much more crucial damage to companies than viruses and hacker attacks. Simply because antivirus market exists for already 30+ years, and in that period of time antivirus vendors learned to combat most types of malware. As for data leaks the DLP market is comparatively young and there are only few truly effective solutions able to stand against malicious insiders.
Q: In Sri Lanka, where technology products from US-based companies hold precedence over those from other geographies, how does CICRA’s partnership with InfoWatch plan to convince Sri Lankan CIOs to adopt its products?
A: InfoWatch brings to the Sri Lankan market its unique technologies and philosophy offering DLP as a service plus software and merely not just a software. Our DLP solution provides truly effective integrated tool which is the only effective such solution in the world to prevent corporate data leaks. Besides we provide the Sri Lanka market with a very strong technical support from Sri Lanka and Russia. Russian technical staff is one of the most advanced in the world. And CICRA consultants have worked in many projects across the world, including Fortune 500 companies, law and enforcement agencies across the world in preventing cybercrimes.
Q: Which industry segments does CICRA plan to target in Sri Lanka?
A: As Sri Lanka moves for a five-hub economy, many sectors in the economy are now in active transition from paperwork to digital documents workflow. In such a situation, potential for internal information security is very notable. Especially we should note banking and financial services industry and telecommunications industry segments. Since all banks are obliged to operate core banking systems, there is obviously quite a bit a demand for full-fledged internal information security solution to protect information assets. Thus for CICRA, we see very high time for DLP projects in this FY2015.
Q: What other information solutions does CICRA provide?
A: CICRA is Sri Lanka’s pioneering cyber security training and consultancy provider. As the accredited training centre of the International Council of Electronic Commerce Consultants (EC-Council), USA, we offer cyber training programs such as Certified Ethical Hacking (C|EH), EC-Council Network Security Administrator (ENSA), Computer Hacking Forensic Investigator (C|HFI), EC-Council Disaster Recovery Professional (EDRP) and EC-Council Certified Security Analyst (ECSA) that leads to Licensed Penetration Tester (LPT) qualification.
Our consultancies focus on information security beyond compliance. We emphasise this because mere compliance will not reduce cyber security risks. Our expertise is on manual penetration testing and security posture assessment.