What is data loss prevention (DLP)?

DLP stands for data loss prevention. DLP is an approach or set of strategies consisting of tools or processes which, when used by a network administrator, can ensure that sensitive data is not accessed, misused or lost by unauthorised users. With DLP, users do not send sensitive or critical information outside the organisation’s network. Network users have the potential to accidentally or maliciously share data which could harm the organisation to whom the network belongs. For example, forwarding business emails out of the corporate domain, or uploading sensitive files to a commercial cloud storage service such as Dropbox. DLP software categorises and protects sensitive data, whether it’s business critical, confidential or regulated.

Reasons to adopt DLP

The circumstances have never been more in favour of widespread adoption of DLP software. The volume of data exposed by data breaches has been growing year on year. Between 60% and 70% of all data breaches warrant public disclosure, which has a significant effect on company reputation and, often, finances. 84% of IT leaders think DLP is more challenging with a remote workforce. Every 11 seconds, another business falls victim to a cyberattack. In the US, the cost of an average data breach is $9.44 million. DLP addresses three common pain points for organisations’ IT security: personal information protection/compliance, IP protection and data visibility.

• Personal information protection/compliance: any organisation that collects and stores PII, PHI or PCI is likely subject to compliance regulations such as HIPAA or GDPR. That means they need to protect their customers’ sensitive data.
• IP protection: if your organisation has valuable IPs, trade secrets or even state secrets, their loss or theft might put it in jeopardy. DLP solutions that use context-based classification can classify IP in both structured and unstructured forms. Through policies and controls, you can stop exfiltration of your data.
• Data visibility: a comprehensive enterprise DLP solution can see and track your data for endpoints, networks and the cloud. You will see how users in your organisation interact with data.

DLP is also beneficial for oversight on insider threats, Office 365 data security, user/entity behaviour analysis and advanced threats.

Data loss prevention best practices

When beginning an assessment of how best to implement DLP for your organisation, it is important to remember: not all data is critical. Different organisations will prioritise different data. Which data would be the most disastrous if stolen? Focus your initial DLP strategy on protecting that.

Consider classifying your data by context. Associate a classification with the source app, the data store or the creator user. Persistent classification tags mean that organisations can trade data’s use.

Training and guidance can reduce the risk of accidental data loss by insiders. Advanced DLP solutions offer user prompting to alert employees that their data use may violate company policy or increase risk, as well as controlling risky activity.

Successful DLP deployments are aided by an understanding of how data is used in your organisation and how to identify risky behaviour. Organisations need to monitor data in motion as part of a strategy to observe what’s happening to their more sensitive data, and to understand the issues any DLP strategy should address.

The level of risk will naturally vary depending on your data’s destination such as partners, customers, the supply chain, etc. It’s often at greatest risk when in use on endpoints, such as in an email or a removable storage device. A robust DLP programme will account for these risks of mobile data.

What’s your primary data protection objective? Perhaps it isn’t a specific data type. Protecting IP, meeting regulatory compliance and obtaining data visibility all are worthy objectives. Having an established objective simplifies the determination of how to deploy your DLP solution effectively.

It is important not to run before you can walk for DLP. Set fast, measurable objectives for your initial, defined approach. You could take a project approach, narrowing the programme’s initial scope to focus on a specific data type. For example, attention on discovering and automating the classification of sensitive data. This is a better strategy than an overly elaborate and ambitious initial rollout.

In rolling out your DLP programme, determine and monitor KPIs so that you have metrics for its success and areas of improvement. Share these metrics with your organisation’s leaders to show the value that DLP is adding.

When you are rolling out your initial DLP programme, don’t make the mistake of implementing it one department at a time. Inconsistently applied, ad hoc DLP practices will be ignored by the sections of the organisation to which they do not directly relate, making them largely a waste of resources.

Related to this, it’s best to obtain buy-in from executives in your organisation, such as the CFO and CEO, to procure an approved budget for a DLP programme. Show how DLP addresses pain points for different business units, such as profitable growth and the efficient use of assets (as DLP eliminates the need for additional staff). This makes it easier to advocate for and coordinate organisation-wide adoption of the programme. When you collaborate with business unit heads to define DLP policies that will govern your organisation’s data, all business units will know the policies, how they fed into them and their impact.