Data loss prevention (DLP) is a set of processes and technologies that ensure sensitive data is not lost, misused or exposed to unauthorized users by end-users or misconfiguration.
Most data loss prevention solutions rely on data classification. This means that sensitive data is grouped into different buckets, e.g. regulated, confidential, financial data, intellectual property, and business-critical data.
These categorizations are fed into DLP policies that can be defined by the organization or within predefined policy packs, typically driven by regulatory requirements such as HIPAA, 23 NYCRR 500, PCI-DSS, CPS 234 or data protection laws like PIPEDA, CCPA, LGPD, the SHIELD Act, and GDPR.
Learn how to comply with the third-party risk management requirement of 23 NY CRR 500.
Once a violation has been identified, DLP software enforces remediation with real-time alerts, encryption, and other protective actions to prevent end-users from accidentally or maliciously sharing data that could put the organization or its customers at risk.
Other features common in DLP solutions include:
- Monitoring: DLP tools provide visibility into data, endpoint activities, and system access on corporate networks and cloud services to protect data at rest, in motion, and in use
- Filtering: Tools can filter data streams to restrict data exfiltration, as well as suspicious or unidentified activity
- Reporting: Tools provide logging and reports, helpful for incident response and auditing
- Analysis: Tools can identify vulnerabilities, data leakage, and suspicious behavior providing forensic context for security teams
Why is Data Loss Prevention Important?
According to Gartner estimates, “By 2021, 90% of organizations will implement at least one form of integrated DLP, an increase from 50% today," making data loss prevention a top priority for many CISOs.
Today, sensitive or confidential data can reside on a variety of computing devices (physical servers, virtual servers, databases, file servers, PCs, point-of-sale devices, flash drives, and mobile devices). And it also moves through a variety of network access points (wired, wireless, VPNs, public hotspots).
Consider this scenario.
Your marketing team needs to move your email list from one email service provider to another, and they store the data on an S3 bucket while they decide on a new tool. Once the tool has been decided on, the contacts are uploaded and all is well.
Except your marketing team didn't configure the S3 bucket correctly, and it is publicly accessible.
This isn't nefarious but it is human error, and it is a breach of data security.
DLP technology can help prevent this mistake from happening in the first place, or at least detect that it has happened so it can be remediated before it falls into the wrong hands.
While this example may not seem like a big deal, it's just a list of emails.
But what if it was your customers' credit card number or social security number? This could cause irrefutable damage and expose your customers to identity theft. Here are four ways that data leaks are commonly exploited:
- Credit card fraud: Cybercriminals can exploit leaked credit card information to commit credit card fraud.
- Black market sales: Once the data is exposed, it can be auctioned off on the dark web. Many cybercriminals specialize in finding unsecured cloud instances and vulnerable databases that contain credit card numbers, social security numbers and other personally identifiable information (PII) to sell on for identity fraud, spam or sphishing operations. It can be as simple as using search queries in Google.
- Extortion: Sometimes information is held over a company's head for ransom or to cause reputational damage.
- Degrading competitive advantages: Competitors may take advantage of data leaks. Everything from your customer lists to trade secrets gives your competitors access to your resources and strategy. This could be as simple as what your marketing team is working on or complex logistical operations.
Read our full guide on data leaks here.
What is Driving the Adoption of Data Loss Prevention Software?
Data leaks and data breaches are increasingly common, and the average cost has grown by 12 percent in the last five years to $3.92 million.
While the DLP market is not new, it has evolved to include managed services, SaaS offerings, cloud functionality, and advanced threat protection. In addition to the rising cost, other trends are driving wider adoption of DLP:
- CISOs: More companies have hired and are hiring a Chief Information Security Officer (CISO) to prevent data leaks, data breaches, and to manage security tools.
- Compliance: The widespread introduction of extraterritorial general data protection laws like PIPEDA, CCPA, LGPD, FIPA, and GDPR has increased the demand for DLP.
- Increased attack surface: Increased cloud usage and more third-party vendors mean the number of attack vectors and cyber attacks the average organization is exposed to is on the rise. DLP can provide visibility and context of events that surround your data before it is exposed.
- Growth in data breaches: Both the size and frequency of data breaches is on the rise. See our article on the world's biggest data breaches to learn more.
- Data is worth more: Stolen data can be sold on the dark web for real profits or used for identity theft, insurance fraud, and other cybercrime.
- More data is considered sensitive: As these new rules and regulations come in, the definition of sensitive data and therefore, what needs to be protected has expanded. This can now include pricing, business methodologies, and psychographics.
- Talent shortage: Many DLP solutions now offer managed services to help fill roles that cannot be filled internally.
- Security ratings: Security ratings providers automate security control monitoring, making it easier for non-technical stakeholders to ask about why specific controls around data loss prevention are not being used. Read more about why security ratings are important here.
Does My Organization Need a DLP Solution?
Data loss prevention solves four main issues that are common across many organizations:
- Protection of regulated or sensitive data: If your organization stores personally identifiable information (PII), protected health information (PHI), or payment card information (PCI), you are likely subject to regulatory requirements. This could be HIPAA (for PHI), GDPR (for PII of EU residents), or PCI-DSS for credit card processors. DLP can help identify, classify, and tag sensitive information and monitor its use. Even if you don't operate in the EU, GDPR is an extraterritorial law meaning it applies to any organization that holds PII of EU residents.
- Intellectual property protection: Chances are your organization has important intellectual property or trade secrets that could result in a loss of market position if they were lost or stolen. DLP can help you secure data on cloud storage or on-premise while reducing the risk of industrial espionage, regulatory action, and reputational damage.
- Data visibility: DLP solutions can provide additional visibility into data movement, help you see and track data on endpoints, networks, on-premise, and the cloud. This provides you with visibility into how individual users within your organization are interacting with data and improves cloud security.
- Mobile workforce cybersecurity: The rise of Bring Your Own Devices (BYOD) and mobile devices has increased the risk of insider threats, data breaches, and phishing. DLP can help secure your mobile workforce and enforce security across devices.
What are the Components of a Data Loss Prevention Solution?
The six main components of any DLP strategy are:
- Data identification: To determine what data needs to be protected, organizations need to classify specific data as sensitive, this can be done manually by applying security policies and metadata or automatically via techniques like machine learning.
- Securing data in motion: Technology installed at the network edge can analyze traffic to detect sensitive data that is being sent in violation of security policies.
- Securing endpoints: Endpoint-based agents can control data transfers between users, groups of users, and external parties. More sophisticated DLP solutions may even block attempted communications in real-time and provide user feedback.
- Securing data at rest: Access control, the principle of least privilege, encryption, and data retention policies can protect archived data.
- Securing data in use: Some DLP systems can monitor and flag unauthorized activities that users may intentionally (e.g. privilege escalation attacks) or unintentionally perform with or on data.
- Data leak detection: If sensitive data is exposed, it's important to quickly remediate the issue. The most sophisticated data leak detection tools scan the open and deep web for data exposures, across S3 buckets, GitHub repos, Trello boards, and RSync and FTP servers to quickly close leaks.
What are Data Loss Prevention Best Practices?
- Determine your data protection goals: Are you trying to meet regulatory requirements, protect intellectual property, or just gain more visibility in your data? Having a rough idea of what you need to do will help you determine a DLP solution.
- Get executive buy-in: Data loss prevention isn't only a security decision, educate internal stakeholders about how it can help them achieve their own goals, e.g. it can help compliance teams avoid regulatory action.
- Establish evaluation criteria: What type of deployment architecture is offered? Do you need Linux, Microsoft Windows or OSX support? Does your organization need to worry about internal or external cyber threats? Will you classify data yourself or rely on pre-built policies? What regulations must you comply with? How quickly do you need to get a DLP solution in place? Do you need additional staff?
- Clearly define roles and responsibilities: Clearly define who is involved and what each person is responsible for?
- Begin by securing the most sensitive data first: This is likely data you must protect based on regulations, as well as data that represents the biggest risk to your organization.
- Automate as much as possible: Given the volume of data the average business processes, DLP isn't generally something that a human can do at scale.
- Use anomaly detection: Modern DLP tools use machine learning, behavioral analytics, and psychographic data to identify abnormal user behavior.
- Document the DLP strategy: A documented DLP strategy is required by many regulations, and provides clarity at the organizational level.
- Establish metrics: Cybersecurity metrics and cybersecurity performance management must be used to measure the effectiveness of your DLP strategy.
- Don't save unnecessary data: Businesses should only use, save, and store essential information.
- Avoid insecure data storage: Organizations must have strict data storage policies and avoid the use of portable storage devices, such as USB flash drives.
How UpGuard Can Help Prevent Data Loss
UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more. The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks.
Additionally, UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Vulnerabilities
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of vendor risk assessment questionnaires