Data has become a valuable commodity in the digital world. Unfortunately, this commoditization of data leads to its monetization, and cybercriminals love to follow the money. In the report “The State of Security 2022” analysis by Splunk and the Enterprise Strategy Group, “almost half (49%) of organizations have experienced a data breach since 2020, a 10% increase on 2019 figures.
Data loss prevention (DLP) is a methodology that uses tools, measures, and processes to stop data from accidentally or maliciously leaving the controls of the enterprise.
The data lifecycle and DLP
Data is created, shared, used, and held at rest. DLP protects against data loss during this lifecycle, reducing the risk of exposure. This exposure can be from malicious third parties, malicious insiders, or simple accidents. The three parts of a data lifecycle can be described as:
Data in Use: as authenticated users use data on endpoints, the data must be secured using robust access controls. A zero trust model of ‘never trust, always verify’ is often used to protect sensitive data access.
Data in Motion: as data is transmitted across a network it becomes vulnerable to Man-in-the-Middle attacks. During the transfer, data must be encrypted using email and messaging security protocols and tools.
Data at Rest: When data is stored in the cloud, databases, or other storage devices, it must be protected using robust authentication, least privilege access, encryption, and data retention policies.
How does DLP work?
Modern enterprises often have complex technical and working environments, so DLP solutions must protect data across multiple clouds, mobile endpoints, and remote workplaces. Data loss prevention platforms are designed to work across these expanded systems. However, data loss prevention is not just about using technology to prevent leaks and hacks. DLP is about the three pillars of security: people, processes, and technology. In the context of DLP, these pillars operate in the following way:
People: employees and the extended workforce must understand their role in preventing accidental data leaks. Security awareness training educates people on their role in the broader security landscape. Security awareness includes understanding the impact of sharing passwords, the importance of data privacy, how a simple email mis-delivery can lead to data exposure, and how to prevent becoming involved in phishing attacks and other social engineering scams.
Processes: optimizing the people and technology pillars depend on robust, optimized processes that are reflected and enforced using policies. Not all data is created equal, and some may need special attention. For example, data classification is a core process determining the type of protection and security level required for that data class. Data security policies and procedures should align with the goals of a business and meet regulatory compliance requirements. These processes also help to determine rules that DLP software can enforce.
Technology: DLP technologies provide the security required to protect various data types and classes. Technology choices include encryption, access control, zero trust architecture models, internet security protocols such as TLS, content analysis and security, and machine learning. DLP technologies work at the network, endpoint, and cloud layers to provide 360-degree data loss prevention.
What kinds of data loss does DLP prevent
DLP solutions and measures protect any type or form of data, as needed, for security and regulatory requirements. Typical types of data covered by DLP include:
- Sensitive information such as customer or financial data
- Personally identifiable information (PII)
- Protected health information (PHI)
- Intellectual property (IP)
- Private company data
- Sensitive communications, such as emails that contain company information
Where data loss occurs
Data can be lost at any point during its lifecycle. Typical areas that see data loss occurring include:
It only takes an accidental ‘reply to all’ or choosing the wrong name from a list to send confidential information to the wrong person(s). Staff under pressure can easily mis-send emails, and the result can be far worse than embarrassment. Mis-delivered emails can result in non-compliance fines and reputational damage. Evidence for the widespread nature of email mis-delivery was identified in the “Verizon Data Breach Investigations Report “(DBIR). For example, the report found that ‘mis-delivery’ of emails containing sensitive data accounted for 55% of financial sector errors.
A 2022 World Economic Forum report found that human error is behind 95% of security breaches. This human error comes in many forms but includes misconfiguration of databases and web servers, mis-delivery of emails (as mentioned above), clicking on phishing links, sharing of passwords, and other simple security mistakes or poor security hygiene. External hackers then take advantage of many of these errors to steal data. Alternatively, hackers look for vulnerabilities in web servers, databases, and devices, installing malware that exfiltrates data or directly stealing data from the flawed system.
Increasingly, ransomware does not just encrypt data, but it also steals the data. For example, CLOP ransomware, which was behind a large number of attacks in recent years, exfiltrates company data first before demanding a ransom. A 2022 CrowdStrike report found that data leaks from ransomware attacks increased by 82% in 2021.
DLP best practices
Below are some of the most important best practices when developing a DLP program:
What do you want the DLP program to achieve? Identify the objectives of your DLP program. Then, develop a map of all the business areas that use data and require specific data loss prevention policies. This should also include areas that privacy and data protection regulations must cover.
Identity and classify data: one of the most challenging parts of implementing a successful DLP program is to locate data across expanded networks and edge devices. Software tools, such as machine learning-based labeling systems and advanced DLP tools, can help to make even hidden data visible. However, once data is identified, it should be classified according to company policies on data sensitivity and criticality.
Data security policies: the intelligence gathered in the two best practices above is used to help develop data security policies. These policies provide the intelligence for DLP system architects and designers to establish rules to enforce DLP.
Rules for access to data: the access points are one of the most vulnerable areas and an attack focus. Use robust authentication and authorization and apply the principles of least privilege. Look at using a zero trust model for data access. Zero trust requires stringent checks to verify that a person, or the device they are using, has access rights to data at any given place or point in time.
Train staff in security: human error is behind many data leaks. Even with DLP software tools in place, training staff and other business associates on security matters is essential. This training should be done regularly to keep up to date with the changing face of cyber-attacks that target data.