Although data loss prevention (DLP) as a technology is “doing well” in the large organization business-sized space, one Info-Tech Research Group analyst and a Websense executive agree there are still plenty more money-making opportunities for partners in this important area of IT.
Last December, the Durham Health Region in Ontario had announced it had lost the medical records of thousands of patients after a nurse had misplaced a USB drive at the regional headquarters in Whitby, Ont.
In response, Ann Cavoukian, Ontario’s Information and Privacy Commissioner, ordered the Durham Health Region to make sure all its computerized health records are “strongly encrypted.”
The USB key stored the information of over 83,000 patients, taken during an H1N1 flu vaccination clinic between Oct. 23 and Dec. 15, 2009.
In addition to encrypting electronic health records, Cavoukian also asked the Ontario Ministry of Health to make frequent checks to ensure this data is being protected and handled properly moving forward.
James Alexander, senior vice-president of London, Ont.-based Info-Tech Research Group, said that data loss from mobile devices is a “pretty significant” issue in today’s digital age.
“The loss or theft of data from mobile devices largely goes unreported,” he said. “That’s because there’s not a lot of legislation that requires individuals to report a breach. Organizations may fail to do this because they’ll lose face in the industry and with their employees.”
The loss or theft of data on removable storage devices and items such as notebooks and smartphone, is not necessarily a hardware or technology issue, but rather is a combination of the two, plus policies and processes, Alexander explained.
Where the channel can help is around educating customers and going after customers that still haven’t adopted the appropriate security technologies.
“Industries that have a considerable priority for data protection often use DLP technology and encryption and this primarily occurs in large organizations,” Alexander said. “A lot of smaller and medium-sized businesses, especially the ones that aren’t in the financial services or credit card payment industries, still aren’t really adopting (this technology).
The DLP space is a hot market to get into and is a “good money-making opportunity” for partners right now, Alexander said. Even still, Alexander said the loss or theft of data often has a lot to do with the lack of security processes or policies around mobile devices and removable storage drives.
“You can have all the hardware and software fixes you want, but you also need a lot of processes and policies around that to make sure nothing can be done with the data,” Alexander said.
DLP and encryption are two technologies that can help, but they’re not “silver bullets” for complete protection, Alexander added. Vendors need to explain broadly why these security technologies should be important to end-users and partners also need to help their customers build a broader DLP strategy to help them protect their business-critical information.
Fiaaz Walji, Canadian country manager for Websense, said as a player in the security space, “we need to educate end-users about the data on the devices, and not necessarily just on the devices themselves.”
“Partners should talk about business processes and not just talk to their customers about hardware,” Walji said. “Partners should ask their customers ‘if they were to lose ‘x’ data tomorrow, what sort of effect that would be?’ Partners should help their customers establish business policies, rules and regulations around their data.”
When establishing policies and rules, partners should also advise that their customers get down to a more granular level so they can determine which person (on a role-based basis) has access to what information and at which location. Once these policies are established, this should be an ongoing evaluation process, Walji said.
“From a DLP perspective, there’s still a lot of white space for partners,” Walji said. “It’s a service-heavy implementation and is a way for partners to have constant contact and a long-term relationship with their customers.”
As far as market opportunities go, Alexander said partners should look at public sector organizations and other industries that are compliance-driven, such as financial services and health-care organizations.
“A good example is the public sector,” Alexander said. “They haven’t been as impacted by the recession in terms of their discretionary spending. They’re hyper-sensitive about this stuff (security) and they will take direction.”