Written by Jacob Woodfield – DLP Practice Lead at Gradian | Jul 13, 2023

In October 2022 the International Organisation for Standardisation (ISO) revised the ISO 27001 standard, making Data Loss Prevention (DLP) an integral part of the framework.

In a nutshell, this means that to attain or retain certification, you must have DLP deployed within your organisation by the 31^st October 2025.

Read on to understand more about what DLP is, and how Gradian can help meet the requirements.

What is DLP?

DLP toolsets are configured to identify regulated, confidential, and business-critical data; these identifications are typically driven by regulatory compliance such as GDPR, HIPAA, or PCI-DSS but can be driven by Intellectual Property and other bespoke requirements. Examples include looking for specific keywords or patterns (such as a Regular Expression) or content similarity for your sensitive document templates.

Once those violations are identified, DLP can be utilised to enforce alerting, encryption, user-education, blocking and other preventative/protective actions and more to mitigate, and in some cases negate, the risk to end users from accidentally or maliciously sharing data that shouldn’t be shared.

Furthermore, DLP can build upon existing Data Classification toolsets, integrate with Web Proxies, Firewalls and CASBs. DLP can even be expanded to utilise UEBA technology and enforce stronger measures on users who are exhibiting potentially compromised behaviours.

DLP: The New Cornerstone of ISO 27001:2022

In an era of exponential data growth, DLP has evolved from being a reactive measure to a proactive necessity. Whilst the ISO 27001 standard has always mandated measures for information security, the 2022 revision has specifically called out DLP. As a result, ISO 27001:2022 is the manifestation of the global understanding of DLP’s indispensability in achieving a secure data environment.

The successful implementation of a DLP toolset aligns your organisation with the ISO 27001:2022 standard, showcases your commitment to data security, and instils trust among stakeholders. Therefore, an effective DLP policy forms the crux of the ISO 27001:2022 certification narrative.

Gradian’s role in your compliance journey

We understand the challenges organisations face in embarking on a successful DLP journey. That’s where our expertise and hand-picked best-in-class toolsets come into play.

Expert Consultation and Customisation

Our industry-leading security experts understand the nuances of an effective DLP policy. We customise our approach to your unique security needs, developing a tailored DLP solution that aligns with ISO 27001:2022.

We Listen. We work to understand what data you hold which needs protecting and we tune policies using our Crawl > Walk > Run approach to ensure the all-important balance between productively and security is met.

We also work with Policy Tuning across all DLP toolsets; so even if your toolsets are deployed already, we can work as an extension of your internal teams to ensure you are gaining the best ROI from them possible.

Technological Partnerships

Our strategic partnerships with best-in-class technology vendors enable us to leverage cutting-edge solutions for data protection. All partnerships with our vendors are fully vetted and explored before we put their name against ours. We deconstruct the technology and stress-test it to ensure it is enterprise ready and valuable. This process ensures that we are not only industry-leading experts in all technologies we recommend, but that the technologies are of a platinum standard for our clients.

Continuous Support and Training

Compliance isn’t a one-time accomplishment. It’s an ongoing endeavour, requiring regular updates and monitoring. Gradian provides continuous support to help you stay abreast of the evolving security landscape. Additionally, we offer training programs to empower you in effectively handling data loss incidents and reporting as well as maintaining toolsets internally.

Managed Services

If maintaining DLP toolsets sounds like a daunting task, we can provide our DLP-as-a-Service to you, which will help keep your mind at ease when it comes to things like troubleshooting, upgrading or even understanding how you can get that complex DLP policy just right. Working as an extension of your internal IT Security team, we ensure you always have decades of rich DLP-centric experience on hand.

The story of ISO 27001:2022 certification is one of a proactive commitment to data security, with DLP at its heart. In this narrative, Gradian serves as a guide, empowering you with the tools and expertise needed to navigate the complex terrain of data security and compliance.

Partner with us and let’s create a secure future for your data together.  The first step is to claim your FREE workshop or get in touch to see how else we can help you.

True Partnership explored…

At the recent Broadcom European Partner Conference held in Barcelona, Gradian was awarded Broadcom’s EMEA Technical Partner of the Year award 2022. Following this regional success, our CEO Damian Acklam was invited to join Broadcom’s VP of International Markets Tom Thorpe and CRN’s Katie Bavosa to discuss both the impact and opportunity the recently launched Expert Advantage Partner Program has had within the Cyber Security marketplace.

To learn more about the Expert Advantage Program, click here.

Have you ever looked at your day to day task list and felt like a real clown . . .

Now, I’m not suggesting anyone is stood there with a large red nose, kipper tie, shoes that are just way too big and drive a car where the doors will fall off at any minute.

But if you’re like a lot of individuals that we speak to on a regular basis, there’s a whole heap of juggling going on or plate spinning if you will.

This time of year generates a lot of noise as organisations review current IT projects and plan new projects for the following year, moving  priorities  to ensure that (hopefully) everything  gets completed at the right time, on time. There are conversations  fed down from the top requesting outcomes and solutions. This, as a lot of you will know isn’t always that straight forward…

The idea of cyber security resilience and where to focus the efforts is a conversation that could run for hours, days in-fact and indeed it is one that has many different facets , but what questions should you be asking within the business  for a better security posture:

These are 10 key questions that an organisation really should ask of itself when it comes to focusing on cyber security and data protection:

1. Do we have a data classification scheme to help identify sensitive information and ensure appropriate protections are in place? Do we actually understand the data we have and what we are trying to protect

To secure sensitive or other data of value, you really need to understand what it is, how much you have, who’s doing what with it and ultimately where it is leaving the business. Classification and the work around this is the first point of call. Once you’ve classified the data, you’ll know what you should be protecting.

2. Do we have effective mechanisms for controlling access to resources, such as how we handle new starters, movers or when staff leave our organisation?

Many companies either don’t have a process or if they do, it is very rarely policed. This is particularly prevalent in respect to movers in a business where legacy permissions may and regularly do remain in place where no longer required.

3. Do we review user accounts and systems for unnecessary privileges on a regular basis?

Regularly reviewing policies and rule-based access controls is an essential part of mitigating the risk of data loss.

4. Do we enforce multi factor authentications for all systems and users?

A simple one . . .but you would be surprised that this still needs discussion

5. Do we have regularly rehearsed plans to deal with the most likely cyber events or disasters?

This won’t be applicable to all, but organisations that manage critical infrastructure or hold large quantities of data / intellectual property should have roles and responsibilities mapped out with their staff to ensure the best possible route to fix should an attack / data loss event happen.

6. Are all our hardware and software products free from vulnerabilities, supported by the vendor and regularly patched?

We take this for granted in most cases, but who carries the responsibility from an organisational point to keep on top of this?

7. Are all staff aware of and participate in effective cyber risk management processes?

Education is key and should be regularly revisited. There are plenty of tool sets out in the market to provide cover here but consistent messaging and processes in the business will aid this. We simply cannot rely on good old common sense!

8. Are we doing everything necessary to support our staff and stakeholders to understand and be aware of cyber risk, via training advice and guidance?

This is often a question of whether cyber security training is ingrained in your business processes. For example, is cyber security training a requirement of new starter onboarding and how often is this training updated?

9. Do we adequately understand our business-critical services and functions and their associated data, technology and supply chain dependencies?

A big one for a lot of organisations – people move about this industry regularly bringing with them their own ideas and recommended technologies and as such legacy infrastructure and policies exist with very little information to back it once people have moved on. There is a huge focus on consolidating tech and moving to a single pane of glass approach. This provides a perfect opportunity to review the whole environment which in turn aids better education and more robust processes.

10. Are all staff aware of and participate in effective cyber risk management processes?

Is there a culture of shared responsibility for the management of cyber risk within the enterprise? Are there reporting channels available to help identify gaps in those processes that back this up.

2023 will pose several new challenges for organisations both internally and externally. Data is such a strong conversation now, especially for us here at Gradian. We are finding businesses really waking up to the idea of securing data in the right way from the ground up rather than buying a solution with a quick fix mentality

Top 5 Reasons Why Data Loss Prevention (DLP) Implementation Fails

Written by Emily Walker |24 Jan, 2022

Data Loss Prevention (DLP) is a critical security measure in protecting your company’s confidential data. Unfortunately, DLP implementations often fail due to a number of common mistakes. In this blog post, we’ll disclose the top five reasons why DLP implementations fail.

1. Inadequate Data Classification

Misclassification of data causes both false and negative positives. This can result in distruption of BAU practices as well as allow for exfiltration of critical assets. Data Classification is the strong foundation which supports any successful DLP implementation.

2. Excessive False Positives

With all DLP tools there’s a delicate balance to maintain; bad policies and poor configuration can lead to the generation of false positives. Time and effort is subsequently required to determine the legitimacy of each alert which can easily become overwhelming

3. Poor Integration of DLP Modules

A robust DLP Implementation will seamlessly integrate network, host, and storage protection modules into a centralised management system. If these modules aren’t tightly integrated, the efficacy of your monitoring will be adversely affected.

4. Lack of Training

DLP implementations will often fail due to a lack of training; employees need to be trained on how DLP works. Whenever possible it’s important to use the DLP toolset as a visual reminder to prompt users in real time to their responsibilities.

5. Failure to Monitor and Update

Organisations are continually evolving their IT infrastructure and associated processes. To be effective your DLP implementation requires continuous monitoring and tweaking in support of the changing nature of your business.

Data Loss Prevention is a critical component of any company’s digital protection plan. Your DLP solution should be carefully integrated to ensure all modules work together and provide maximum coverage. If you need help with this, we can do it for you.

What is important with DLP, and in fact any technology, is understanding what its intended function is and how that function can help you and your organisation.

Like most things, when researching DLP many find themselves lost in a rabbit hole of information – to understand one area, you must first understand another and so on until you somehow find yourself on Wikipedia at 2am reading about why Social Security numbers were first invented and how best to protect them without inundating your management console with thousands of false positives a day (Okay admittedly, I may be alone here).

Let me fall back on the much-loved (read: overused) analogy in our industry – cars. Much like buying a brand-new car, DLP is a significant investment. You want it to be fast and flashy, but mostly you want it to be functional. After all, it’s still a car, regardless of how much money you spent on it. It’s great to have a large touch screen display, a GPS, high quality speakers and the ability to go back in time when it hits 88mph, but all these features are kind of redundant if you don’t know how to drive. You can sit in it on the drive and play around, but you can’t use it to drive the kids to the Zoo on the weekend or drop the in-laws off at the airport to buy yourself a few days of peace.

What you have in this scenario, isn’t a car, but a small room on wheels you can sit in and listen to some music and watch your local neighbourhood go about it’s business. It may be a car by name, but not by function.

The same is the case with DLP. It’s great to have a solution with all the bells and whistles, which is lightning fast and can calculate the meaning of life, but if you can’t use it to perform it’s basic, rudimentary intended function – why are you calling it your DLP solution?

I’ve seen this too many times in my career to count; organisations who need to essentially tick a box for clients or partners to say “Yes, we have DLP”. They look to their email gateways, or their web proxies and they see the ability to enable some level of pseudo DLP protection. Six months down the line they discover a data exfiltration incident has occurred and they then need to explain that they “Have DLP on our email gateway only”.

So, what is DLP?

In our eyes, DLP (Data Loss Prevention) is the ability to define your sensitive data within your organisation and protect it across the entire estate regardless of digital exfiltration method. True DLP isn’t stopping a handful of keywords going through your email gateway or preventing all users from writing to USB drives unless they’re on a whitelist. DLP requires a centralised management console which unifies components from across your organisational span of control; Cloud, Endpoint, Web & Email as a minimum to ensure a comprehensive security posture.

This brings me back to our original success criteria, and the point of this entire blog:

Understanding

Unlike cars, DLP tool sets aren’t a requirement for day-to-day life (no matter how much they may feel like they are sometimes). This means there are far fewer people with the ability to “drive” them and even less with the ability to drive them well.

If you don’t have a car, you still need to get about. In the analogous world, you could hire a taxi but in the DLP one, you’d hire a Professional Service engineer to get you from point A to point B (installation and configuration – I think this analogy is being a little stretched, but we’re almost there). However, if you’re fortunate enough to have a car, but no ability to drive it, you might hire a full-time chauffeur (in the DLP world we’d call this a Managed Service).

No matter if you need a taxi, a chauffeur or even a bus (you’ll need to use your imagination for that one), the most important thing is the understanding of the risks associated with trying to drive it yourself. Sure, you may make it to the shop down the road a few times a week without being pulled over or getting into an accident, but when you try to make that long-distance journey, still not fully aware of what all the road signs mean, the chances of you getting yourself into serious trouble increase exponentially.

Gradian have been driving (this is the last one I promise) every day for two decades. We remember back before the bypass down the road was put in and we used to have to sit in traffic for 2 hours every morning to get to work. Whether you need driving lessons, a lift to the airport or someone full time to drive you anywhere you need to go, we know the cars, we know the roads and we’re always happy to get you to where you need to go, click here to get in touch today.

DUP… It’s easy as 1,2 3!

Okay, that wasn’t my best line, but I hope it served its limited purpose of grabbing your attention.

Over the span of my career, I have seen toolsets come and go in our industry which promise astonishing things. Very rarely, can they deliver on some increasingly bold claims. When Forcepoint unveiled their Dynamic User Protection (DUP) as a SAAS offering, I wasn’t convinced it would be as simple as they claimed. Anyone following the world of Forcepoint can tell you that the UEBA on which DUP is based, is not a simple toolset to deploy. It requires comical levels of hardware and extremely qualified Professional Services (PS) to deploy. It’s in fact so complex, it could not be sold to clients without mandatory Forcepoint PS.

So when we at Gradian were lucky enough to get our hands on it towards the start of this year, I cleared out an afternoon, grabbed a coffee, logged into my portal and got cracking on deploying it within my lab. I knew it would be simple, but grossly overestimated the time I would need. Here’s what happened in my lab environment:

1. Logged into portal
2. Downloaded the NEO Agent following a pop-up telling me to (my first time login)
3. Copied the agent to my lab machine (also running Forcepoint ONE Endpoint)
4. Checked the status in my DUP Tenant to see “Installing” as the status for my lab machine
5. Rebooted my lab machine and saw the client report into my tenant

And that was it. My coffee was still hot and my afternoon was suddenly free. The NEO Agent communicates with my ONE Agent locally. The ONE Agent feeds all relevant information back to my Forcepoint Security Manager and the NEO agent autonomously updates in the background.

Obviously there are more considerations for an enterprise deployment, such as testing, change requests and pushing the agent to all users, but the takeaway here is that the deployment process really is that simple.

ONCE AGAIN GRADIAN HAS INCREASED IT’S LISTING ON THE GOVERNMENT’S DIGITAL MARKETPLACE. THIS YEAR CROWN COMMERCIAL SERVICE (CCS) INTRODUCES G-CLOUD 13 AND GRADIAN IS AGAIN NAMED A SUPPLIER INTRODUCING 7 NEW LOTS.

Gradian’s listing now comprises:

CLOUD SOFTWARE

• Broadcom/Symantec CloudSOC Cloud Access Security Broker (CASB)
• Broadcom/Symantec Data Loss Prevention
• Broadcom/Symantec Email Security Service (ESS)
• Broadcom/Symantec Email Threat Detection and Response (ETDR)
• Broadcom/Symantec Email Threat Isolation (ETI)
• Broadcom/Symantec Endpoint Security Complete
• Broadcom/Symantec Endpoint Security Enterprise
• Broadcom/Symantec Mirror Gateway
• Broadcom/Symantec Policy Based Encryption Advanced
• Broadcom/Symantec Protection Engine
• Broadcom/Symantec Validation & Identification Protection (VIP)
• Broadcom/Symantec Web Protection Service
• Echoworx Oneworld Email Encryption
• Forcepoint Advanced Malware Detection (AMD)
• Forcepoint Behavioural Analytics (FBA)
• Forcepoint Cloud Access Security Broker (CASB)
• Forcepoint Cloud Web Security
• Forcepoint Data Guard (FDG)
• Forcepoint Data Loss Prevention (DLP)
• Forcepoint Email Security
• Forcepoint Insider Threat (FIT)
• Forcepoint Next Generation Firewall
• Forcepoint Remote Browser Isolation (RBI)
• Forcepoint Zero Trust Content Disarm and Reconstruction (ZTCDR)
• Valimail Amplify
• Valimail Enforce- Next-Gen DMARC-as-a-service
• Valimail Monitor- Free DMARC visibility and reporting

CLOUD SUPPORT

• Gradian Business Critical Support for Forcepoint Products
• Gradian Business Critical Support for Symantec Products
• Gradian DLP Gap Analysis
• Gradian DLP Health Check
• Gradian DLP Risk Assessment
• Gradian Premium Technical Telephone Support for Echoworx
• Gradian Premium Technical Telephone Support for Forcepoint Products
• Gradian Premium Technical Telephone Support for Symantec Products
• Gradian Security & Compliance Review for Forcepoint Products
• Gradian Security & Compliance Review for Symantec Products
• Gradian Shadow IT Assessment
• Gradian’s Managed Service for Forcepoint Technology Solutions
• Gradian’s Managed Service for Symantec Technology Solutions
• Gradian’s Professional Services for Forcepoint Technology Solution Delivery
• Gradian’s Professional Services for Symantec Technology Solution Delivery

To find out more about CCS visit their about page here.

Crown Commercial Service (CCS) is an Executive Agency of the Cabinet Office. To find out more about CCS, visit: www.crowncommercial.gov.uk.