One of the hot topics for many information security officers and almost all suppliers within the IT security industry at present is data loss prevention.

For many information security officers (ISOs) and IT directors, not a week will pass without a supplier calling to talk about and sell a data loss prevention solution that is hailed as a way of controlling data egress points.

From the products I have tested, I can say that they do what they say on the packaging, but in this economic climate, when boards are mandating decreased budgets and businesses drive for lower operational costs, is there another way of achieving a similar result without large capital outlay?

Good increases in data management can be achieved through a good information security awareness programme. A good awareness programme can make significant strides to decrease accidental loss of data, which is by far the most common cause of data breaches, and then use technical solutions to assist and complement the work of the awareness programme. Awareness programmes take time to set up and need buy-in from the very top of the business. Key executives are usually happy and eager to help; they see both the security benefits and the benefits of lower operating costs.

For example, the use of portable media has caused many businesses a large headache and has lead to a number of high-profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data and correctly using portable media devices.

This is not to say that you should not complement the training by issuing only encrypted portable devices and controlling data written to non-encrypted devices. In taking this step you reinforce the training and show the workforce that you are taking the matter seriously.

By viewing technology as an assistant to good information security practices rather than the primary enabler to information security you are better placed to view the options open to the business, taking a broader spectrum view of your business practices allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise.

An excellent area within the realm of information security where the people element returns excellent gains is in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working and could lead to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance. This will help in identifying the many egress routes that data could potentially take out of the business.

A good security awareness programme will not safeguard against those rouge employees that want to take the data with them, however. This is where there is no replacement for the technical counter-measure. But with an awareness programme in place, employees will be aware of what will happen if they are found to have taken data and the HR department will have an easier time of dealing with these employees if you can prove they are fully aware of the policies and have taken part in the awareness training.