Cybersecurity Beyond Compliance
In part one of this series, I presented an overview of data loss prevention (DLP) for private equity (PE) and the question of why PE needs DLP. In part two, I will look more in-depth at gaps between basic DLP compliance requirements and more comprehensive security and how to address them.
Data Classification, Identification & Mapping
In the previous article, I walked through the process of establishing data classification—a building block of DLP—and how to use it to create elements of an information security policy. The purpose of DLP is to identify, log, and respond to violations of the security policy with as little disruption to normal business operations as possible. The goal is to minimize false positives and respond to actual breaches.
The most effective information security policies go into some depth about how to handle sensitive data—who can access it, where they can access it, and what they can do with it. For example, there may be more open access from within the office but more restrictive access externally. Or maybe some users can read documents or files but are not allowed to print, copy, or forward them. When violations of the security policy are detected, actions can range from alerts to blocking or deleting files to data-specific encryption (e.g., Social Security numbers or payment card IDs).
While creating data classification is standard among firms, the next stage of identifying, mapping, and labeling all documents that contain these data types is where many firms stumble. For firms with data on-premises in network stores and data rooms, in email, in cloud storage, and in applications, creating a data map can be a time-consuming project to complete. To help with this issue, software such as Office 365 has built-in settings to identify these basic data types.
The goal is for all channels to enforce the same rules. For PE, the most sensitive data rarely maps to predefined formats, so you’ll need other methods of identification. These methods can be as straightforward as using a naming convention for file names to append a data classification name. Other methods include advanced document fingerprinting or header tagging that can be detected by DLP tools. Many virtual data rooms have advanced digital rights management (DRM) to enforce multiple levels of access and control.
Deal Data & Virtual Data Rooms
Virtual Data Rooms like iDeals, Intralinks, and SmartRoom often have the most robust controls for data loss prevention. For many virtual data rooms, DLP and DRM are fully integrated. Many virtual data rooms can fully control who can access specific files and whether those files can be printed, forwarded, or deleted. In fact, virtual data rooms do such a great job of controlling the DLP that some firms use them for non-deal data.
Email DLP is the most commonly used form of data loss protection. Tools like Outlook in Office 365 and Mimecast can implement DLP rules and inspect messages and attachments. Network DLP can scan traffic moving across the Internet through a web browser or from an application or command line process that can take many forms. Some tools are network appliances, while others work on the endpoints or laptops to protect devices when they are outside the network.
Many antivirus and anti-malware providers have added endpoint DLP to their protection. Solutions from providers like Symantec offer DLP options for workstations, storage, and cloud systems. Other solutions, like cloud access security brokers (CASBs) or data access security brokers (DASBs), help bridge the gap between on-premises and cloud systems to not only protect known data sources but identify new locations and cloud services that may have been added without proper approval.
One challenge with data loss prevention is the difficulty in detecting sensitive data that is encrypted or in password-protected files. Some firms will leverage technology, such as a reverse proxy, to decrypt data before it can leave the network. As a fallback measure, some firms block all data that cannot be properly identified.
For compliance and the firm’s security, PE needs a reliable DLP solution. There is no single path or set of tools that work for all PE firms to implement DLP, but the most successful and proven process is a risk-based initiative starting with compliance and expanding to cover all areas of risk for data loss. Review of SEC compliance and regular PE governance is the cornerstone of Agio’s SEC Governance Program. Contact Agio today to learn more about how we can make your PE firm and its portfolio companies more secure.