Data flows in and out of organizations to partners, customers, remote employees, other legitimate users, and sometimes to unauthorized people. Many organizations that lack effective data loss prevention best practices find that keeping track of all their data is a challenge. One reason is that employees use multiple communication channels—authorized and unauthorized—to send data. They use email, instant messaging, shared online folders, collaborative software, texting, a variety of social media, and other channels. Additionally, employees store their data in many different places, including their desktop, laptop, notebook, smartphone, file server, legacy databases, the cloud, and more. This leads to a lack of visibility into what data is leaving the organization, and complicates prevention of data loss. A program that implements data loss protection best practices can help prevent confidential data from falling into the wrong hands.
Why organizations need data loss protection
The average cost of a data breach in the U.S. is $3.86 million.1 For large companies, the cost can be higher. For example, in 2014, Home Depot incurred more than $260 million in costs when hackers stole credit card data from more than 50 million customers. As a result, Home Depot paid back banks, credit card companies, and consumers and implemented court-ordered improvements to its security policies.
Multiple industry and government regulations specify rules for the secure handling of different types of data, such as healthcare information (HIPAA) or credit card data (PCI). Breaches of those regulations can add substantial punitive fines to the cost of a data loss.
Data loss prevention solutions
One major part of a data loss prevention (DLP) effort is the selection of a DLP solution to help identify the various types of data in the organization. A DLP solution can also monitor the endpoints or channels through which that data flows. DLP solutions scan data repositories, such as file shares and servers, and then analyze and catalog the content. Some DLP products, or modules in DLP software suites, provide automated reporting for incident response. They can also block egress of sensitive data from the organization, or encrypt it before it is sent, depending on rules the organization establishes.
However, technology is only one component of DLP. Effective data security requires DLP best practices that include detailed policies and procedures for handling and storing sensitive data and for dealing with security violations. Effective DLP also depends on the IT staff’s knowledge of data security requirements and on end user awareness of data security practices.
DLP best practices strengthen data security
Best practices in DLP combine technology, process controls, knowledgeable staff, and employee awareness. Below are recommended guidelines for developing an effective DLP program:
Implement a single centralized DLP program. Many organizations implement inconsistent, ad hoc DLP practices and technologies, which various departments and business units implement. This inconsistency leads to a lack of visibility into data assets and weak data security. In addition, employees tend to ignore department DLP programs that the rest of the organization does not support.
Evaluate internal resources. To create and execute a DLP plan, organizations need personnel with DLP expertise, including DLP risk analysis, data breach response and reporting, data protection laws, and DLP training and awareness. Some government regulations require organizations to either employ internal staff or retain external consultants with data protection knowledge. For instance, the GDPR includes provisions that affect organizations that sell goods or services to European Union (EU) consumers or monitor their behavior. The GDPR mandates a data protection officer (DPO) or staff that can assume DPO responsibilities, including conducting compliance audits, monitoring DLP performance, educating employees on compliance requirements, and serving as a liaison between the organization and compliance authorities.
Conduct an inventory and assessment. An evaluation of the types of data and their value to the organization is an important early step in implementing a DLP program. This involves identifying relevant data, where the data is stored, and whether it is sensitive data—intellectual property, confidential information, or data that regulations address. Some DLP products, such as McAfee DLP, can quickly identify information assets by scanning the metadata of files and cataloging the result, or if necessary, open the files to analyze the content. The next step is to evaluate the risk associated with each type of data, if the data is leaked. Additional considerations include data exit points and the likely cost to the organization if the data is lost. Losing information about employee benefits programs carries a different level of risk than the loss of 1,000 patient medical files or 100,000 bank account numbers and passwords.
Implement in phases. DLP is a long-term process that is best implemented in stages. The most effective approach is to prioritize types of data and communication channels. Likewise, consider implementing DLP software components or modules as needed, based on the organization's priorities, rather than all at once. The risk analysis and data inventory aids establishing these priorities.
Create a classification system. Before an organization can create and execute DLP policies, it needs a data classification framework or taxonomy for both unstructured and structured data. Data security categories might include confidential, internal, public, personally identifiable information (PII), financial data, regulated data, intellectual property, and others. DLP products can scan data using a pre-configured taxonomy, which the organization may later customize, to help identify the key categories of data. While DLP software automates and speeds classification, humans select and customize the categories. Content owners can also visually evaluate certain types of content that cannot be identified using simple keywords or phrases.
Establish data handling and remediation policies. After creating the classification framework, the next step is to create (or update) policies for handling different categories of data. Government requirements specify the DLP policies for handling sensitive data. DLP solutions typically apply pre-configured rules or policies based on various regulations, such as HIPAA or GDPR. DLP staff can then customize the policies to the needs of the organization. To administer the policies, DLP enforcement products, such as McAfee DLP Prevent, monitor outgoing channels (like email and web chat) and provide options for handling potential security breaches. For instance, an employee about to send an email with a sensitive attachment might receive a pop-up that suggests encrypting the message, or the system might block it entirely or redirect it to a manager. The response is based on rules the organization establishes.
Educate employees. Employee awareness and acceptance of security policies and procedures is critical to DLP. Education and training efforts, such as classes, online training, periodic emails, and posters can improve employee understanding of the importance of data security and enhance their ability to follow recommended DLP best practices. Penalties for breaching data security may also improve compliance, especially if they are clearly defined. The SANS Institute provides a variety of data security training and awareness resources.
Data loss prevention resources
1 Ponemon Institute, 2018. “Ponemon Study Shows the Cost of a Data Breach Continues to Increase.” https://www.ponemon.org/news-2/23.