Data loss prevention (DLP) -- sometimes referred to as data leak prevention, information loss prevention and extrusion prevention -- is a strategy for preventing individuals from accessing sensitive information who do not need it. It also ensures that employees do not send sensitive or critical information outside the corporate network.
While security teams use DLP to prevent sensitive information and intellectual property from leaking outside of the corporate firewalls, it's also a software strategy. And DLP use is growing. Gartner estimates that by the end of 2021, 90% of organizations will have implemented at least one form of integrated DLP, up from 50% in 2017.
There are two types of DLP products -- dedicated and integrated. Dedicated are standalone products, which are in-depth and complex. Integrated products are more basic and work with other security tools. They focus on policy enforcement and are less expensive than dedicated DLP tools.
DLP software products use business rules to enforce regulatory compliance and classify and protect confidential and critical information so unauthorized users cannot accidentally or maliciously share data that could put the organization at risk.
Sensitive information can be deliberately leaked or stolen by a malicious insider or external hackers, but research shows that most data loss is through internal staff making a mistake with no malice aforethought. However, that doesn't lessen the severity of the problem.
How does data loss prevention work?
DLP software monitors, detects and blocks sensitive data from leaving an organization. That means monitoring both entry to the corporate networks as well as data attempting to exit the network is necessary.
Most DLP software products are centered on blocking actions. For example, if an employee tries to forward a business email against company policy outside the corporate domain or upload a corporate file to a consumer cloud storage service such as Dropbox, the employee would be denied permission.
Also, DLP software can block employee computers from reading and writing to USB thumb drives to prevent unauthorized copying.
Detection is primarily around incoming email, looking for suspicious attachments and hyperlinks for phishing attacks. Most DLP software offers organizations the option of flagging inconsistent content for staff to manually examine or blocking it outright.
For some time, detection and blocking was done using rules set by an organization's security team, but those were simplistic and often circumvented. Newer software uses machine learning-based artificial intelligence, which can learn and improve the approach to detection and blocking over time.
Learn more about how to choose the right type of data loss prevention product.
Why is data loss prevention important?
Data loss can at best cost businesses a hefty -- if not massive -- fine, and at worst put an organization out of business or even land someone in jail. In 2017, Equifax lost the personal and financial information of nearly 150 million people due to an unpatched database. The company failed to fix the vulnerability promptly, then failed to inform the public of the breach for weeks after it was discovered. In July 2019, the credit agency was fined $575 million.
Data loss could definitely cost C-levels their job. CEOs and CIOs at Equifax and Target resigned in disgrace following major data breaches that hurt their companies and cost them millions in fines.
If the fines don't kill a business, the loss of customer and public faith might. A 2019 report by the National Cyber Security Alliance, based on a Zogby Analytics survey of 1,006 small businesses with up to 500 employees, found that 10% of companies went out of business after suffering a data breach, 25% filed for bankruptcy and 37% experienced a financial loss.
What are the types of data loss prevention?
Network data loss prevention covers a range of data security techniques. These include:
- Data identification. DLP is only useful if it is told what is and is not sensitive. Businesses should use an automated data discovery and classification tool to ensure reliable and accurate identification and categorization of data rather than leave it to humans to decide.
- Protecting data in motion. Data is moved around quite a bit internally, and external breaches often rely on this to reroute the data. DLP software can help ensure that data is not routed someplace it should not go.
- Protecting data at rest. This technique secures data when it is not moving, such as residing in databases, other apps, cloud repositories, computers, mobile devices and other means of storage.
- Endpoint data loss prevention. This type of DLP functionality protects data at the endpoint device level -- not just computers, but mobile phones and tablets as well. It can block data from being copied or encrypt all data as it is transferred.
- Data leak detection. This technique involves setting a baseline of normal activity, then actively looking for unusual behavior.
Data loss prevention best practices
Here are some the steps businesses can take to implement a DLP program:
- Conduct an inventory and assessment. Businesses can't protect what they don't know they have. A complete inventory is a must. Some DLP products -- from vendors such as Barracuda Networks, Cisco and McAfee -- will do a complete scan of the network.
- Classify data. Organizations need a data classification framework for both structured and unstructured data. Such categories include personally identifiable information (PII), financial data, regulatory data and intellectual property.
- Establish data handling and remediation policies. The next step after classifying the data is to create policies for handling it. This is especially true with regulated data or in areas with strict rules -- such as Europe with GDPR and California with CCPA.
- Implement a single, centralized DLP program. Too many organizations implement multiple DLPs across different departments and business units. This leads to inconsistency of protection and the lack of a full picture of the network. There should be one overarching program.
- Educate employees. Unintended actions are far more common than malicious intent. Employee awareness and acceptance of security policies and procedures is critical to DLP.
Data loss prevention tools and technologies
It's doubtful one tool will fulfill all of an organization's data loss prevention needs. Fortunately, many DLP vendors have a single area of focus, while others have suites of tools that fit together. Businesses can assemble a set of a best-of-breed tools or use an all-in-one suite. Some of the premier vendors include:
- CA Data Protection. This software protects data in use, in motion and at rest.
- Check Point Data Loss. This tool focuses on breaches and data exfiltration.
- CoSoSys Endpoint Protector. This is a dedicated all-in-one protector for Windows, Apple and Linux.
- ManageEngine Device Control Plus. This is a dedicated endpoint protector focused on USB security.
- McAfee Total Protection for DLP. This is a suite of six DLP products for discovery, monitoring and prevention.
- SecureTrust DLP Discover. This product focuses on insider risk, such as data theft and unauthorized internet use.
- SolarWinds Data Loss Prevention with Access Rights Manager. Despite the recent issue with a massive security breach by Russian hackers, SolarWinds is widely viewed as one of the best DLP providers out there.
- Symantec Data Loss Prevention. This enterprise-level DLP software covers endpoints, data center and cloud computing.
Read more about specific data loss prevention tools.
In this Buyers Guide series, gain a better understanding on how to deploy data loss prevention products and how they work, learn how and when to deploy data loss prevention products, get criteria for comparing and choosing the right data loss prevention product, hand learn how to create an enterprise data classification policy.