Strategies for an efficient DLP policy

Know what data exists, where it’s located, who uses it, and why it’s being used.

1. Define & Classify Your Data

1.1  Ascertain whether your company processes sensitive data

If your organization handles Personally Identifiable Information (PII), financial or medical details, and other types of vulnerable data, such data must meet strict data compliance standards such as GDPR, CCPA, etc.

Do your homework and make sure you know how to handle all the data you process in terms of all relevant security frameworks, as well as specific industry standards. For example, if you do business with any individual that falls under EU jurisdiction, you must ensure GDPR compliance. Be aware of this as some countries have specific security regulations for specific industries. Last, but not least, acknowledge that even your own organization has its own sensitive data, so make sure data is classified within the organization.

1.2 Ensure that the end-users classify their data

Organizations and their staff should classify all data that has been created, stored, used, shared, achieved, and destroyed (i.e. throughout the entire data life cycle).

There are four ways organizations can classify their data, namely:  

• Public data may be disclosed to any person regardless of their affiliation with the organization (e.g. marketing material)  
• Internal data is information that is potentially sensitive and is not intended to be shared with the public (e.g. team notes and presentations)
• Confidential data is any information that could adversely affect individuals or the organization if made available to unauthorized parties. This includes data that the organization may be required to keep confidential, either by law or under a confidentiality agreement with a third party, such as a vendor (e.g. business plans, employee information, IP, etc. )
• Restricted data is information that the company has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. Data should be classified as “Restricted” when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to the organization, its customers, or its partners (e.g. credentials, medical records, company secrecy, etc.)  

Tip: It’s a best practice to treat unclassified data as internal data.

2. Analyze Your Data

In order to monitor and control data movement, you need to gain full visibility of all events (system, user, and data) in all places (endpoint, network, and cloud); this allows you to perform thorough data analysis, mitigate the risk of data loss, better safeguard corporate data, and ensure regulatory compliance.

3. Protect Your Data

Generally, it’s the Data Protection Officer or the Chief Information Security Officer’s job to protect the data. Yet in some cases, it’s the IT people who have to put on their capes and become data heroes by figuring out ways to keep the data safe. But in an ideal world, data protection should be a joint effort; IT, Security & Risk leaders, and business unit leaders should co-create the DLP policy and define rules and detectors that would catch sensitive data and prevent it from being shared.

Creating the rules is not difficult; what is tricky is figuring out all the data you need to match, and how you need to match it, i.e. configuring the rule conditions like writing regular expressions (regex) and word lists. It takes time to define all those patterns and there is the risk that you might get false positives. So there might be a lot of trials and errors, but remember that it’s necessary in order to maintain data security.

Last, but not least, when it comes to data protection, as an IT admin you need to:

• Have data visibility
• Manage access
• Investigate data usage patterns for misuse
• Ensure data retention compliance
• Protect sensitive data via encryption to ensure confidentiality

In the end, it’s necessary to be proactive about data security, and having a cross-department collaboration is the best way to go. The DLP policy should be in line with corporate culture and educating the workforce on data security issues is crucial for the success of the policy. You can also test the efficiency of the policy by using metrics such as the number of incidents, percentage of false positives and overrides, average response time, and so on.