
Ask HN: How you prevent accidental leaks of your company's data? - saurabh20n
1) How do you prevent accidental leaks through email, Github, Slack?<p>2) Google has a Data Loss Prevention API. https:&#x2F;&#x2F;cloud.google.com&#x2F;dlp&#x2F; That requires uploading your sensitive data. Is that a concern for you? Do you know of better&#x2F;cheaper alternatives?<p>2) Usually sensitive data is company specific. E.g., my sensitive data was biotech specific (e.g., chemical, enzyme names). How do you prevent leaks of your custom data?
======
ideophobia
It largely depends on the size of your company and the nature of your data.
There are probably 4 simplified aspects to tackle this issue from, in my
opinion. I work in data protection for a Fortune 500 company.

1\. Data tagging or classification - identify and tag your sensitive data,
then use the tags to control/monitor what happens to it. If done fully and
correctly, you only have to worry about the data that matters, not someone's
chili recipe or their kid's soccer schedule. The industry term is Crown
Jewels, which represents the data that is absolutely critical to your success
and would be catastrophic if lost. Secure your CJ, and your biggest risk is
mitigated.

2\. Egress monitoring - establish tools or processes to monitor what data is
leaving your company, where it is going, and how it is getting there. Look for
anomalies, abuses, and undesired activities. Perhaps your intellectual
property should never be in China.. uploads to 163.com or message attachments
to QQ messenger addresses might be concerning.

3\. Technical controls - Does your company need USB drive access? If not,
block them all from moving data via USB. Does anyone in your organization burn
data to CD/DVD media? No? Block it. Turn off the egress vectors that aren't
needed at a user/team/site/org level. The most common egress vectors are USB,
CD/DVD, Email, Network Upload, Print, and wireless transfer like bluetooth.
There are others, but these are the most encompassing. You can do things like
block all emails going to personal email domains like gmail or yahoo; limit
print amounts to 20 pages per user per day; or block access to all
domains/IP's in specific countries or regions on the network.

4\. Security Awareness - Employees need to be fully informed about the data
protection requirements you have in place, and the related consequences for
breaking acceptable use policies. Education and awareness campaigns are key,
and probably the most overlooked option available. I personally believe
informing employees about real life cases of data loss/theft, whether they are
your own or just in your industry, is crucial in making the risk seem more
real.

I can't recommend any specific products, but in general I would say look for
tools that can give you things like: data tagging, network activity logging,
end-point monitoring, anomaly detection, live response, data loss prevention
solutions, and/or critical data protection.

