The FUD that is used to sell DLP

Reasonably short post again, I just read this article titled "Why your organization needs to implement DLP", and had to write about it.

To be fair the body of the article does state present solutions other than DLP for the problems it highlights, I just think it is a bit misleading to have this kind of inaccurate Fear Uncertainty and Doubt (FUD) in an article with the title Why your organization needs to implement DLP.


A few points I had issue with
"A 2007 study by the Ponemon Institute found that the loss of customer records costs $197 per record, and that the average business loss for a large organization that suffers a data breach is $4.1 million"
A few issues:
  1. Why use the 2007 study when the 2010 is available
  2. There is no way that you can currently accurately get the cost of a data breech to a figure like $197 per record. There is just not enough data collected by organizations, not enough published and it does not take context into account i.e. the organization type and the record type
  3. I hate the words "average" and "large" used without definition - the key purpose is FUD with the $4.1 million dollar loss
  4. Even if the $4.1 million loss is real and applicable to the readers organization a "large", "average" organization would find it difficult to implement DLP for less than $4.1 million, the Total Cost of Ownership (TCO) each year may even be greater than that or a good proportion if you take impact x likelihood into account - meaning how does the cost benefit stack up? Something the article does not discuss at all
  5. Best of all later it goes on to say:
"nearly two-thirds of organizations estimated that a single such breach would cost their organization at least $100,000, not to mention other operational costs, damage to their brand and other problems"
$100,000 is a lot different to $4.1 million 
"The bottom line is that organizations must implement Data Loss Prevention (DLP) systems to protect themselves against the growing array of threats they face from inadvertent and malicious data leaks from email, instant messaging and other systems"
Really don't like this statement - the answer bullet for all these issues is not DLP as the article to be fair goes on later to discuss
"For example, the former CEO of Boeing, Harry Stonecipher, used the corporate email system to send personal emails to women with whom he was having extramarital affairs. His firing which resulted from this activity was highly publicized and embarrassing to the company
"For example, several years ago employees of British insurance company Norwich Union sent rumors using the corporate email system that falsely claimed that a competitor, Western Provident Association, was undergoing a government investigation and was experiencing financial problems.
"In a well-publicized case, Chevron Oil settled a sexual harassment lawsuit for $2.2 million after four women received offensive email from a fellow employee
"Morgan Stanley settled a $60 million lawsuit filed by two employees after they received racist jokes sent through the company’s email system"
I really have issue with theses examples. It would be very difficult for a DLP system have prevented this
or even detected it. In addition while racist, sexist words can be detected via keyword searches, most organizations do not enable this if they are smart due to the rate of false positives. This is pure FUD
"February 2008 that that the Hannaford Brothers chain of supermarkets lost more than four million debit and credit card numbers to hackers"
No indication in the article of how this incident is linked to DLP, ergo the natural conclusion that if you had DLP it would have prevented this hack
"Now, consider that most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight"
Use of the word "any sort" I have an issue with, minimal etc would be fine but not any sort.

Minor points to do with statistics
"The typical email user sends 41 emails during a normal workday, or roughly 10,250 emails each year. That means than in an organization of 2,000 users, 20.5 million emails will be sent"
I do not believe there is anything such as a typical email user. The millions quoted are to create Fear.
"However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organizations have deployed these capabilities"
It does not provide any detail on what the profile or number of the organizations surveyed are. From practical experience I find it hard to believe that 49% of organizations have DLP implemented, I maybe wrong but I need more information.


As I said at the start the body of the article is not too bad, especially the section "what can I do?" because it does not present DLP as the only answer. It is disappointing that they did not talk about some lower cost options such as use of Proxy servers or Application FW's to achieve a similar benefit but maybe the sponsor would have objected to that. Also they forgot the number 1 rule: the only reason most organizations will implement DLP is because of regulation. Regulation is mentioned but it will be the primary and in most cases the only driver for this.

As always comments, disagreements welcome.

No comments:

Post a Comment


Written by