Data loss occurs when intellectual property or sensitive information leaves the corporate network and is no longer under the corporation’s control.
As companies become increasingly mobile and users carry company data on portable storage devices (such as USB drives, smartphones and laptops), they increase their risk of data loss.
Data loss can have a minor or major impact on the business. For example, a user might drop a smartphone in a puddle on their way into work. If the phone, which held email correspondence with clients, is rendered useless and the data unrecoverable, then the company suffers a data loss. Luckily that data didn’t get into the wrong hands, and the damage is minimal. But consider a laptop with hundreds of customers’ credit card numbers left on the subway. All those customers are subject to identify theft if the laptop is picked up by an individual with malicious intent, and the company is liable.
Data loss isn’t limited to mobile computing devices. Emails containing confidential corporate information can be sent to the wrong recipients. Instant messages can be intercepted by attackers. Weak access controls can allow the wrong users to access sensitive network resources. The methods by which a company can suffer a data loss are numerous and, unfortunately, so are the effects. Data loss can result in negative publicity, damage to the company’s reputation, loss of customers and profits, decreased stock value and even heavy regulatory fines.
In an effort to protect citizens against identity theft, regulatory agencies passed laws requiring companies to protect sensitive information against data loss. These regulations often require the use of encryption, which renders data unreadable and prevents access to it. If a company that is subject to regulatory compliance experiences a data loss without the proper controls, as required by the regulation, the company can be subject to fines and penalties.
At Sophos, we recommend companies implement a security solution that includes controls to help prevent data loss and encrypts data to protect it from harm or loss. The solution should also enable the company to easily demonstrate compliance with data loss regulations should they be reviewed for compliance.