Data is invaluable for businesses in the digital age. Sensitive data includes internal communications, financial records, customer information, and even other companies’ information. The explosion of remote work, cloud services, and global supply chains has greatly increased the number of opportunities for a data breach to occur. This makes the need for data loss prevention, and other protective systems even more vital.
Data loss prevention systems are needed to protect the sensitive information that cyber attacks are targeting. In the most recent IBM study, the average cost of a data breach was £4.45 million. This is a record high, and is showing how data loss prevention systems are becoming more important each day.
Just improving cyber defence tools will not be enough. Dividing the approach with the other systems, and employee behavioural changes as well, will give the greatest improvements. Now what, and how, will the data loss prevention systems be implemented, and what will be their protective measures?
Why Sensitive Business Data Is at Greater Risk Than Ever
Data related to business has a greater volume, variety, and velocity than ever before. Sensitive information is stored on more than just one platform; it is often stored on emails, collaboration applications, cloud storage, endpoint devices, and third-party services. Because of this, gaining control over the movement of data and access to data has become ever more difficult.
The loss of data due to human error is a problem that we are going to have to deal with for some time. It is easy for employees and other individuals to misplace documents, keep them in folders that are not secure, and send them to the wrong people. Cyber criminals are aware of this and utilise phishing, ransomware, and advanced persistent threats to target individuals.
The Ponemon Institute conducted a study in 2022 that found 63% of insider data breaches are due to people not being malicious, but negligent. This illustrates the importance of creating a culture where the practice of data loss prevention is not solely based on technology and high punitive measures.
Core Elements of a Robust Data Loss Prevention Strategy
DLP strategies should implement protection mechanisms for all three states of sensitive data: data in motion, data at rest, and data in use. Here are strategies organisations can implement for each of these states.
Data Classification and Inventory
Before understanding the methods to protect data, organisations must first ascertain what data is present and where it is located. This begins the process of conducting thorough organisational data inventories and data classification exercises. This includes identifying which data is considered sensitive and tagging it (e.g. Personally Identifiable Information (PII), data related to financial aspects, and trade secrets).
Data tagging and/or data classification exercises are useful to assist organisations in further motivating and/or focusing data protection measures and aligned policies. These also assist organisations in meeting regulatory compliance for data classified as sensitive (data) in which these referenced data compliance regulations (e.g. GDPR, CCPA, and HIPAA) require more stringent data protection measures for certain types of data identified as sensitive and/or protective.
Implementing RBAC (Role Based Access Control)
Access to data protection controls is differentiated by defined roles and responsibilities, and job functions is one of the first DLP (Data Loss Prevention) strategies to be implemented. Employees should only be provided data access required to complete their job functions. RBAC serves to reduce employee insider threats and/or unintended employee acts of data sabotage, as well as reducing the ‘blast radius’ in the event of a user account credential theft occurring.
The more advanced DLP (Data Loss Prevention) systems are designed to function with existing Identity Access Management (IAM) systems in place to provide and/or manage role-defined access, security authentication, and data rights protection.
The protection of Data and/or Protected data in the event of a Device theft, Device loss, and/or Device compromise is an endpoint protection goal, and Protected endpoint device endpoint protection is one part goal of endpoint protection systems. Endpoint protection systems also include but are not limited to disk encryption, remote data wipe, and behavioural analytics.
Businesses continue to struggle with intentional and unintentional data breaches through electronic mail (email) services. The inclusion of email data loss prevention (DLP) tools which identify sensitive data and block transmission of such data offers some assistance. Data encryption added to the email content provides additional protections.
Staff Education and the Mitigation of Internal Risks
Data breaches through electronic mail (email) functions cannot be entirely eliminated through technical methods only. Organisations must periodically cultivate a security-based culture through staff training and awareness programmes. Staff cultivation on the identification of phishing (social engineering) emails, secure methods for sharing sensitive data, and the reporting of secure breaches is essential for organisational protection.
An Internal Data Loss Prevention (DLP) system which integrates person-centred analytics user behaviour with risk scoring is capable of reporting and preventing large volume data downloads, unauthorised data sharing, and unusual data access behaviour. The primary focus of such a system is to analyse and report potentially unsafe behaviour to prevent data breaches.
Leveraging Data Loss Prevention Software
At the heart of many modern strategies lies data loss prevention software. These tools are designed to monitor, detect, and control data movement across the organization. By enforcing policies based on content, context, and user behavior, data loss prevention software plays a crucial role in maintaining visibility and control.
The most effective approach to Data Loss Prevention (DLP) software is to programme all actionable attempts to be flagged or blocked. This includes copying documents to a USB drive, making uploads to unapproved cloud services, or printing documents the software considers to be confidential. Top-tier DLP software also provides opportunities for development with cloud environments, environments with endpoint protection, and systems with cyber traffic security.
DLP software can help businesses understand and execute complex compliances. For instance, if the software detects the breach and/or unlawful transmittance of protected health information (PHI) outside a company or organisation, the software can halt the transmittance of the information. The software is designed to keep a company or organisation’s sensitive accounts protected, in addition to the software making the accounts load ready for an audit to show that the sensitive information of the company or organisation was account protected.
Data protection in the cloud
With the continual increase in companies implementing cloud services, the protection of sensitive data in the cloud, particularly in the SaaS applications, becomes a major concern for companies. DLP for the cloud provides DLP to these services including Microsoft 365, Google Workspace, Dropbox, and AWS.
Policy-based DLP can also be applied to DLP-compliant chat, email, or file-sharing applications. When sensitive data (like credit card numbers or customer records) is shared, admins can receive notifications or policies that are automatically enacted. The aim of cloud DLP is not to eliminate productivity, but to control the access and flow of information to and from protected information.
Ongoing Monitoring and Automation of Incident Responses
Ongoing activity monitoring and automated incident responses are characteristics of advanced DLP programmes. This includes defining thresholds for attempted data exfiltration, detection of anomalies, and prioritisation of alerts.
Loss prevention systems frequently work in tandem with Security Information and Event Management (SIEM) solutions. This allows for loss prevention systems to enable centralised logging, correlation, and forensics in the event of a data security loss.
An incident response plan must include components for containment, root cause determination, and reporting. An organisation’s ability to rapidly identify and respond to a data loss incident determines the effect on the organisation’s ability to continue operations and its reputation.
Legal and Regulatory Compliance
DLP is not only considered a best practice, but is often a requirement under the law. There are regulations that are specific to certain industries that describe how data must be handled, stored, and protected. Examples include:
- HIPAA has requirements regarding how healthcare providers handle and protect patient data.
- PCI-DSS has guidelines on how payment cards are to be protected.
- GDPR and CCPA focus on the rights and protection of consumers’ data.
The consequences of not following these regulations can be devastating both financially and in terms of damage to a brand. Data loss prevention software serves to protect compliance in these instances as well as the exposure of sensitive data by enforcing the organisation’s guidelines and providing the organisation with the ability to document and create reports that are ready for auditing.
Managing Third Party Risks
With the addition of outsourcing, partnerships, and supply chains, data exposure increases. Third party vendors, contractors, and collaborators can potentially have access to sensitive data and as a result, it is imperative that the DLP guidelines are applied to them as well.
This can include the establishment of secure file transfer protocols, limited access to internal systems, and third-party audits via activity logging. Data protection clauses must be included in contracts, and access to data must be routinely reviewed and denied based on the user’s needs.
The Importance of Organisational Strategy for Future Data Breaches
More often than not, data breaches occur because of a myriad of failures. For example, issues can include a lack of oversight, insufficient visibility into the issue, untrained people, poor configuration, etc. An unambiguous approach to identify, monitor, and subsequently protect data at all possible levels and use-cases will ensure the mitigation of the risks outlined above.
The companies that excel in preventing data loss do not just implement the most well-known and newest data loss prevention (DLP) tools. They build a business strategy that creates, reinforces, and sustains a culture of security, and adopts a flexible and adaptable approach to the ever-evolving threats that the business and its data face.
Final Remarks
In our current business climate, protecting sensitive data is an integral part of business operations. If data is lost due to high or low employee negligence, the repercussions are the same for the business. Data loss prevention (DLP) as a business strategy is a necessity.
The most critical data for an organisation can be protected through thorough and well-thought-out business practices and less through the deployment of the newest data loss prevention (DLP) tools. To truly protect the organisation, prevent breaches, and protect the business, the DLP tools must be integrated into the organisation to be an active part of the normal business operations, be a part of a DLP strategy that is integrated, mature, flexible, and is a responsive strategy backed by the organisational leadership.