Could DLP have prevented BoE Bookend disclosure?

The Bank of England’s accidentally sent information about the research project to identify financial risk associated with the United Kingdom leaving the European Union to a journalist at The Guardian. Could an effective Data Loss Prevention (DLP) strategy have stopped this breach in its tracks?

DLP is about making sure users do not send confidential or classified information outside the corporate network; driven by a combination of threats from inside businesses and legal duties to protect personal data. The key questions asked are:

  • Where is the data located?
  • Who has access to the data?
  • How is the data being used?
  • How can we prevent it from being lost or stolen?

Nobody has suggested that someone intentionally leaked Project Bookend details leaked to the media, nor that the breach was in any way malevolent. However, with the right policies and systems in place, both accidental and malicious data losses are preventable.

An effective DLP solution would include:

  • Specific files or project directories identified as confidential and subjected to monitoring
  • Network and endpoint monitoring to track access, data transfer or writing files to USB devices
  • Detection of uploads to social media sites or to file storage services such as Dropbox
  • Specific profiling of data defined such as bank account numbers, National Insurance numbers, insurance policy numbers, postcodes or credit card numbers
  • Networks and endpoint monitoring to track data transfers of files containing profiled data structures allowing for cases where confidential data is added to other files which would not usually attract attention
  • Integration with email services and other network protocols to intercept and block the transmission of data where attachments contain content that matches the defined profile of confidential data

In the case of the Bank of England, data about Project Bookend could have been classified as confidential and tracked internally. An attempt to send the files outside the perimeter would trigger interception of the email and prevent it from being transmitted; essentially a quarantine of the entire email along with any attachments for further investigation by an Information Security analyst.

Managing exponential growth of data

Data storage is available at a low cost, and extending storage space is an easy solution to deal with data growth. However, how often do you take this action only to find out three months later that the same problem has returned and more space is required? Increasing capacity is part of the solution and needs consideration as part of a long-term data storage strategy and retention policies.

The notion that data storage is cheap is very subjective and depends on many different factors beyond the price of disks. The acronym RAID, which initially meant ‘Redundant Array of Inexpensive Disks’, is somewhat misleading in that it conveys the message that storage is cheap without considering many other factors including:

  • The costs of other hardware requirements
  • The costs of physical space in data centres
  • Employment costs
  • Maintenance
  • Ongoing support

The overall cost of data storage is more important relative to the value of the stored data. RAID more commonly means ‘Redundant Array of Independent Disks’, which is more appropriate.

Parkinson’s Law states that one’s work will expand to fill the time available to complete it. The same principle applies to space: a requirement for storage will increase until it reaches maximum capacity. Buying a second filing cabinet has the long-term effect of doubling the number of documents stored. Notice at home that the same applies to cupboards, shelves and coat hooks, and how often a spare bedroom fills up over time. A corollary of Parkinson’s Law relating to the growth of data is that stored electronic data will expand to fill whatever storage space is available for systems to use.

The key areas to be fully explored before investing in new hardware are:

  • Housekeeping – cleanup of historical data storage where appropriate to reduce strain on systems
  • Ongoing policy – decisions on what data is stored and for how long
  • Capacity planning – projecting future storage requirements and proactively planning any storage expansion

Reducing the need for storage has an added benefit to the environment of reducing energy consumption.

We are committed to saving energy and resources. We offer our clients a challenge to use housekeeping, policy implementation and capacity planning to reduce storage requirements and to contribute a portion of any financial savings from the storage budget to their favourite charity.