What is Data Loss Prevention (DLP)?

DLP stands for Data Loss Prevention. DLP is an approach or set of strategies consisting of tools or processes which, when used by a network administrator, can ensure that sensitive data is not accessed, misused, or lost by unauthorized users. With DLP, users do not send sensitive or critical information outside the organization’s network. Network users have the potential to accidentally or maliciously share data which could harm the organization to whom the network belongs. For example, forwarding business emails out of the corporate domain, or uploading sensitive files to a commercial cloud storage service such as Dropbox. DLP software categorizes and protects sensitive data, whether it’s business-critical, confidential, or regulated.

Reasons to adopt DLP

The circumstances have never been more in favor of widespread adoption of DLP software. The volume of data exposed by data breaches has been growing year after year. Between 60% and 70% of all data breaches warrant public disclosure, which has a significant effect on company reputation and often finances. 84% of IT leaders think DLP is more challenging with a remote workforce. Every 11 seconds, another business falls victim to a cyberattack. In the US, the cost of an average data breach is $9.44 million. DLP addresses three common pain points for organizations’ IT security: personal information protection/compliance, IP protection, and data visibility.

• Personal Information Protection/Compliance: any organization that collects and stores PII, PHI, or PCI is likely subject to compliance regulations such as HIPAA or GDPR. That means they need to protect their customers’ sensitive data.
• IP Protection: if your organization has valuable IPs, trade secrets, or even state secrets, their loss or theft might put it in jeopardy. DLP solutions that use context-based classification can classify IP in both structured and unstructured forms. Through policies and controls, you can stop exfiltration of your data.
• Data visibility: a comprehensive enterprise DLP solution can see and track your data for endpoints, networks, and the cloud. You will see how users in your organization interact with data.

DLP is also beneficial for oversight on insider threats, Office 365 data security, user/entity behavior analysis, and advanced threats.

Data Loss Prevention best practices

When beginning an assessment of how to best implement DLP for your organization, it is important to remember: not all data is critical. Different organizations will prioritize different data. Which data would be the most disastrous if stolen? Focus your initial DLP strategy on protecting that.

Consider classifying your data by context. Associate a classification with the source app, the data store, or the creator user. Persistent classification tags mean organizations can trade data’s use.

Training and guidance can reduce the risk of accidental data loss by insiders. Advanced DLP solutions offer user prompting to alert employees that their data use may violate company policy or increase risk, as well as controls risky activity.

Successful DLP deployments are aided by an understanding of how data is used in your organization and how to identify risky behavior. Organizations need to monitor data in motion as part of a strategy to observe what’s happening to their more sensitive data, and to understand the issues any DLP strategy should address.

The level of risk will naturally vary depending on your data’s destination such as partners, customers, the supply chain, etc. It’s often at greatest risk when in use on endpoints, such as in an email or to a removable storage device. A robust DLP program will account for these risks of mobile data.

What’s your primary data protection objective? Perhaps it isn’t a specific data type. Protecting IP, meeting regulatory compliance, obtaining data visibility: all are worthy objectives. Having an established objective simplifies the determination of how to deploy your DLP solution effectively.

It is important not to run before you can walk for DLP. Set fast, measurable objectives for your initial, defined approach. You could take a project approach, narrowing the program’s initial scope to focus on a specific data type. For example, attention on discovering and automating classification of sensitive data. This is a better strategy than an overly elaborate and ambitious initial rollout.

In rolling out your DLP program, determine and monitor KPIs so that you have metrics for its success and areas of improvement. Share these metrics with your organization’s leaders to show the value that DLP is adding.

When you are rolling out your initial DLP program, don’t make the mistake of implementing it one department at a time. Inconsistently applied, ad hoc DLP practices will be ignored by the sections of the organization to which they do not directly relate, making them largely a waste of resources.

Related to this, it’s best to obtain buy-in from executives in your organization, such as the CFO and CEO, to procure an approved budget for a DLP program. Show how DLP addresses pain points for different business units, such as profitable growth and the efficient use of assets (as DLP eliminates the need for additional staff). In this way, organization-wide adoption of the program is easier to advocate for and coordinate. When you collaborate with business unit heads to define DLP policies that will govern your organization’s data, all business units will know the policies, how they fed into them, and their impact.