It isn't every day that the government helps you market IT solutions. But that's the case with data loss prevention (DLP) solutions, needed by nearly every company storing personally identifiable information such as Social Security numbers, credit card numbers and more. Due to government regulations, when such data leaks, an organization must notify every person whose privacy was compromised. The result can be financial penalties, loss of customers and serious damage to the company's brand.

It also means surging demand for technology and services that prevent data loss, whether by attack from cyberthieves or disgruntled employees; loss from misplaced or stolen mobile devices; or sloppy business processes for using and sharing data.

"As the market and government forces continue to increase the cost associated with data breaches, more companies will begin implementing solutions to deal with these problems," says Robert Scott, managing partner at Scott & Scott, an IT and legal services provider. "Data privacy and regulatory compliance are going to be huge growth areas for the channel."

Carol Baroudi, research director at Aberdeen Group and author of a recent study on data loss, agrees. "I see enormous opportunity for solution providers in data loss prevention," she says. "Some 80 percent of executives say this is a high priority, but the market is only 22 percent penetrated. And people who are using these solutions are getting better results -- it's clear that the technology can make a difference."

To profit from this market, however, you'll need to go beyond familiar security solutions. Preventing data loss can involve a complex mix of technologies that assess and protect confidential information that is stored, in motion on the network, and in use by applications. Because customers need education on the technology and the processes for data loss prevention and compliance, DLP solutions can generate significant professional services revenue -- exactly what solution providers thrive on.

Who Are the Customers?
Recent research highlights the scope of the data-loss problem and the wide range of prospects.

According to a Ponemon Institute study of midsize and large companies, 85 percent have experienced a data security breach. Of these, 95 percent were required to notify customers under state statutes. Some 74 percent reported customer losses, 59 percent faced potential litigation, 33 percent expected potential fines and 32 percent experienced a decline in share values.

With consequences so serious, you'd expect companies to have implemented sophisticated DLP solutions, but that wasn't the case: "What surprised me most from the research was that even after experiencing a data breach, most of the respondents still had very immature controls in place," says Scott, whose company commissioned the study.

The opportunity isn't limited to midsize and large enterprises, experts say. "Preventing data leakage is relevant to every company that has sensitive information, and that includes the smallest firms," says Pamela Fusco, chief security strategist at FishNet Security, a solution provider. "And small organizations that work with larger firms may need to abide by the same regulations and policies."

"The reality is, anyone who deals with sensitive information is at risk from data leakage," says Art Gilliland, senior director of product marketing, Information Foundation Group, at Symantec. "From a brand perspective, large companies face the greatest real dollar risk. But if you think about data leakage more broadly, in terms of intellectual property or an exiting salesperson taking customer accounts, the issue applies to companies of all sizes."

Outlining the Problem
Though cyber attacks and employee malfeasance get the biggest headlines, the reality is more mundane. Research indicates that most data is lost because of bad technology choices, sloppy business processes or user error. The Ponemon Institute found that 88 percent of data breaches were caused by noncriminal activities. Some 42 percent were the result of stolen or missing devices such as unencrypted laptops, PDAs and memory sticks. Only 6 percent were from hacker activity and 6 percent from employee malfeasance.

How employees use and share information must also be examined. "Data loss often happens when good people run afoul of business processes," says Gilliland. "Say I e-mail customer information to my home because I'm doing market research. I'm not trying to steal the data, but it's leaking outside the company because it's sitting on my home computer."

"Now, if the company audits its email through some discovery process," Gilli land continues, "it has to disclose that customer information is lost, even though it's not stolen or being used for nefarious purposes. A lot of companies are trying to figure out how to deploy technologies that allow users to share information and be productive, while still preventing information leakage."

DLP Solutions
Describing the problem this way hints at the broad scope of possible solutions. Security consultants will need to move beyond traditional infrastructure protection to a mix of informationmanagement technologies and riskmanagement consulting. Instead of protecting servers, endpoints and the network perimeter, the conversation should turn to information protection.

According to Aberdeen Group, this requires a multipart strategy, including the following steps:

• Assess what constitutes sensitive data.
• Discover where sensitive data resides.
• Classify sensitive data.
• Protect sensitive data, at rest in storage devices, in motion across a network and while in use by an application.
• Monitor, audit and report on data use.

Technologies to assist in this strategy range from the obvious to the innovative and emerging. They are available from McAfee, Symantec, Websense and a host of specialty firms.

Portable device encryption is an example of the obvious, yet 46 percent of companies had not instituted it even after experiencing a breach, Scott reports. "Encryption is the single most effective way to avoid the negative business impact of data breaches," he says. "In many states, encryption can protect a company from notification requirements. It costs $100 or less and usually takes less than a half hour of IT services time."

Another obvious step involves wiping disks clean when systems are decommissioned. And endpoint security solutions can prevent data leakage through antivirus, antispyware and antiphishing technologies, as well as via device control that prevents sensitive information from being downloaded through an I/O port.

Content monitoring and filtering/ data loss prevention (CMF/DLP) solutions are more cutting-edge and complex. Defined by Gartner as technologies to develop and enforce better business practices in the handling and transmission of sensitive data, they scan the infrastructure to discover where sensitive data resides and then control its use, including the ability to apply mandatory access controls. Policybased solutions are available as gateway appliances to protect stored data and data in motion, such as that in e-mails, instant messages and web traffic. Database-specific protection can flag suspicious usage patterns and provide compliance-related controls and audits.

Enterprise-rights management can prevent data leakage via safe document sharing. By defining usage policies so that they stay with a document, it can be protected outside the company gateway. "Say a user wants to share a file or CAD drawing with a trusted partner, but not with the whole world," says Baroudi of Aberdeen Group. "Technologies are emerging that allow a document to be shared in a limited way -- defining how it can be used, putting a time limit on it or requiring user re-authentication after a certain time. Whenever people are collaborating on intellectual property, such technology can be useful."

High Services Potential
With so many technology choices and so much at stake, customers are likely to benefit from education on data loss prevention solutions. Most will also need help in setting policies and devising business processes to ensure information safety.

"As with any multifaceted solution, technology is only part of the answer," says Gilliland of Symantec. "The other side is the advice and expertise on how to implement it, what policies to implement and how to integrate technology into the customer's unique infrastructure."

Customers especially need assistance in defining and identifying sensitive data, says Baroudi, as well as putting a protection strategy together, because "you can't just protect everything," she says. "They also often need help creating data-usage policies -- who has the right to do what, with what?" These are all promising areas where information-aware solution providers can add considerable value.