Insider Threat Management

How Insiders Get Around Data Loss Prevention Solutions

(Updated on 10/11/2020)

Many organizations rely on data loss prevention (DLP) solutions to secure information, but data leaks still happen. That's because legacy DLP solutions can't always effectively monitor employees' digital activities, privileged administrators, and third party users-–insiders who all have access to critical data. So, it’s not surprising that the average insider threat incident can take 72 days to contain, according to insider threat statistics. Let’s look at how DLP solutions work, how insiders may get around them, and a more modern way to manage insider threats.

How DLP Solutions Work (and Where they Fall Short)

Traditional DLP solutions monitor communication channels (i.e. ports, protocols or storage locations) and prevent certain data from leaving the corporate perimeter based on predefined rules. For example, DLPs could be configured to automatically remove or quarantine a spreadsheet saved to a file server if it contains PII or financial data. Unfortunately, these systems have proven imperfect, particularly in the modern workforce. Here’s where they can fall short:

A lack of cloud application monitoring capabilities

While DLPs aim to prevent data loss, it hasn’t been particularly effective at monitoring cloud applications. While these applications increase access to sensitive information, they’re also critical to boosting worker productivity. With remote work on the rise, it’s nearly impossible for a data-centric solution like DLP to detect all suspicious user activity. Users can create, modify, and share information completely independently of a DLP-controlled source.

Inability to differentiate legitimate and malicious user activity

Often, DLPs can’t distinguish inappropriate user behavior from legitimate user activity. In addition, it’s become nearly impossible to maintain meaningful restrictions on what information should be leaving a company at a network level, because DLP solutions make decisions without business context. As a result, most DLP solutions barely restrict data from leaving a company because there’s a general fear of slowing down employee productivity.

Puts the onus on the user

Since DLP solutions are far away from where data is created (applications), they often lack the context and understanding of the user’s intention in order to make a reliable decision. For example, it can be difficult for the system to decide whether a certain file should be quarantined or allowed. Users often need to make these decisions themselves. Leaving the task of protecting your data up to your employees isn’t always the wisest decision. Beyond the concern of malicious insiders, two out of three insider threat incidents are caused by user mistakes.

Difficult to fine-tune

While some DLP solutions have adapted techniques such as sanitization and the full encryption of Social Security numbers and other sensitive data, they nonetheless require a significant amount of dedicated staff hours to continuously fine-tune rules and review alerts on a case-by-case basis. This fine-tuning can sometimes be a simple review of content that has been delayed from leaving. An example would be a human resources administrator trying to send employee data to a new healthcare company. Since files may contain sensitive employee PII, this legitimate task could easily get snagged in a DLP solution.

Heavy on the endpoint

Finally, DLP solutions often slow users down, causing applications to lag, computers to crash, and productivity to be compromised. In a worst-case scenario, an insider can choose to circumvent a DLP system altogether—either because it’s too slow, or because of malicious intentions.

How Insiders Get Around DLPs

The motives of insider threats can vary greatly. According to a recent Verizon Insider Threat Report, three of the most common types of insider threat incidents are accidental leaks, misuse, and data theft. Let’s look at how an insider in each of these scenarios might circumvent a DLP solution (whether knowingly or not).

Accidental Leaks

Employee mistakes are all too common, and often allow malicious actors to access corporate systems without their knowledge. For example, phishing attacks are the most common tactic of hackers, according to a recent report from Carbon Black. The most sophisticated hackers can easily get past DLP systems and access files within the corporate perimeter. In this case, a user allows an intruder into the system by clicking a malicious email link without realizing it.


Often, malicious insiders intentionally misuse corporate systems for their own gain (whether it’s financial, revenge-based or other reasons). Privileged users can be particularly risky for organizations, since they have credentials to unlock the most sensitive systems, and the knowledge to disable a DLP system or encrypt sensitive data so it easily flows through. For example, a privileged user may escalate their privileges, or allow themselves access to areas of the server that are off-limits. Or, they may intentionally leave security holes in a cloud service before they leave an organization, allowing a backdoor into the organization’s most sensitive data. Without context into a privileged user’s activity, a DLP solution can’t do much to stop this behavior.

Data Theft

There are many ways users steal data from an organization. If a DLP solution is the only defense, a malicious insider could easily perform a web search for “how to disable a DLP,” or send sensitive files to a cloud service like Dropbox. Or, in some scenarios, a malicious insider can just indicate to a DLP system that their activity is legitimate (even if it isn’t). Without additional context, a DLP has no way of detecting risky user activity before data loss occurs.

In cases of malicious insider threat, insiders often enter an exploratory phase of using authorized access to do unauthorized things. Because no rules are being broken according to DLP, IDS, firewalls, and AV systems, they are unable to detect these activities. Next, these insiders may continue with small acts of risky behavior to test what they can get away with. They’ll ask coworkers for access to data, or attempt to download data extraction tools. As time goes by, they build confidence in how they’re able to gain access, and they gradually become bigger threats to the organization.

The Solution: Focus on Data and User Activity

To effectively manage all types of insider threats, organizations should focus on a combination of user and data activity (rather than cataloging and tracking data alone). Since many organizations have made a significant financial and time commitment to their DLP systems, they may find it more efficient to supplement DLP with a user activity monitoring solution that can detect risky insider behavior or common mistakes.

Focusing on a combination of user and data activity will prevent some of these insider threat incidents from wreaking havoc on your organization. For example, a solution like Proofpoint Insider Threat Management (ITM) can help teams gain context into who did what, when, and even why—speeding the time to investigate. A people and data-based insider threat management strategy can prove a more modern and effective approach than DLP solutions alone.

Subscribe to the Proofpoint Blog