Data Loss Prevention (DLP)

DLP Meaning and Definition

Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer.

DLP products use business rules to classify and protect confidential and critical information so that unauthorised users cannot accidentally or maliciously share data, which would put the organisation at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.

Organisations are adopting DLP tools because of insider threats and rigorous data privacy laws, many of which have stringent data protection or data access requirements. In addition to monitoring and controlling endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

DLP Best Practices

Here is how to initiate a successful DLP deployment:

  • Prioritise Data
    Not all data is equally critical. Every organisation has its own definition of critical data. The first step is to decide which data would cause the biggest problem if it were stolen. DLP should start with the most valuable or sensitive data that is likely to be targeted by attackers.

  • Classify the data
    A simple, scalable approach is to classify data by context. This means associating a classification with the source application, the data store or the user who created the data. Applying persistent classification tags to the data allows organisations to track their use. Content inspection is also useful. It examines data to identify regular expressions, such as Social Security and credit card numbers or keywords (example: “confidential”). Content inspection often comes with pre-configured rules for PCI, PII, and other standards.

  • Understand when data is at risk
    There are different risks associated with data distributed to user devices or shared with partners, customers and the supply chain. In these cases, the data is often at highest risk at the moment it is in use on endpoints. Examples include attaching data to an email or moving it to a removable storage device. A robust DLP program must account for the mobility of data and when data is at risk.

  • Monitor data in motion
    It is important to understand how data is used and to identify behaviour that puts data at risk. Organisations need to monitor data in motion to gain visibility into what’s happening to their sensitive data and to determine the scope of the issues that their DLP strategy should address.

  • Communicate and develop controls
    The next step is to work with business line managers to understand why this is happening and to create controls for reducing data risk. At the beginning of a DLP program, data usage controls may be simple. Controls can target common behaviours that most line managers would agree are risky. As the DLP program matures, organisations can develop more granular, fine-tuned controls to reduce specific risks.

  • Train employees and provide continuous guidance
    Once an organisation understands when data is moved, user training can reduce the risk of accidental data loss by insiders. Employees often don’t recognise that their actions can result in data loss and will do better when educated. Advanced DLP solutions offer user prompting to inform employees of data use that may violate company policy or increase risk. This is in addition to controls to outright block risky data activity.

  • Rollout
    Some organisations will repeat these steps with an expanded data set or extend data identification and classification to enable fine-tuned data controls. By initially focusing on securing a subset of the most critical data, data loss prevention is simpler to implement and manage. A successful pilot program will also provide options for expanding the program. Over time, a larger percentage of sensitive information will be included, with minimal disruption to business processes.

DLP Statistics

43% of data breaches are internal.

A common misconception is that data loss occurs mainly from malicious attackers. External breaches still account for over half of all data breaches. But internal data breaches are also increasing and account for nearly half of all data breaches.

60% to 70% of all data breaches warrant public disclosure.

This statistic can be harmful to the reputation of any company. A study conducted by Intel revealed that 70% of data loss incidents in smaller commercial organisations—SMEs or SMBs—warranted either public disclosure or had a negative financial impact.

DLP Tools and Technology

Proofpoint Email Data Loss Prevention offers integrated data protection for email and attachments. It is designed to stop accidental data exposure and prevent third-party attacker or impostor attacks via email. It can be used in conjunction with other information protection suite products, such as Proofpoint Data Discover and Proofpoint Email Encryption.

A full-suite DLP tool has four elements: a central management server, network monitoring, storage DLP and endpoint DLP. In a small deployment, everything except the endpoint agent may be consolidated on a single server or appliance. Larger deployments may include multiple distributed pieces to cover different elements of the infrastructure.

With this suite of DLP tools, organisations always know where their private or proprietary data resides, including intellectual property, personal identification, patient information, financial information and more. It helps organisations to simplify discovery and quickly evaluate data so they can respond to any issue. The Proofpoint in-place DLP solution, Content Control, helps organisations:

  • Easily locate sensitive data, wherever it resides in the enterprise. The simplified discovery process enables IS and IT teams to be aware of issues without dealing with a complex DLP solution or using a lock-it-all-down approach.

  • Evaluate historical data and ensure that new data is evaluated as it’s created. Quarantine, move or delete any violations to avoid being adversely affected by wrong material. For example, if corporate content is discovered in a Dropbox synchronisation folder, the user will automatically be alerted, and the data will be moved to the IT security team’s sanctioned repository.

  • Evaluate the metadata and the full text within a file. This enables IT security departments to identify credit cards, personal identification, license numbers, medical information and more. This process also teaches users best practices for data management and security on the job—without hindering productivity or workflow.