DLP – How to protect yourself in a pragmatic way against losing data

Author
Reinhold Zurfluh
Published
24. October 2019

Today, data is critical to companies' business success, which is why it is important to take the right security precautions. This also means that important data must not leave the company inadvertently, because a loss of data can threaten the existence of a company. No company is exempt from this – be it via a cyber-attack, threats for within or simply due to carelessness. This is why Data Loss Prevention (DLP for short) is an important aspect of cutting-edge data protection and cyber security strategies – particularly with respect to implementing the DSGVO / GDPR. However, DLP does not necessarily assume that a dedicated solution needs to be implemented! In this article you will learn what this might look like in practice.

DLP belongs in every data protection and cyber security strategy

There are many different causes of data loss, and there are almost as many terms used to describe the ways of protecting against unwanted loss of data, as there are ways in which critical data can leave a company. Just some of these: are Data Leakage Protection / Prevention, Data Loss Prevention, Anti Data Leakage, Insider Threat Protection, Outbound Content Management and Data Extrusion Prevention. All of them have one thing in common: they are designed to stop data leaks and prevent unwanted data flow.

One thing is clear: DLP (Data Loss Prevention) is virtually indispensable for successful data protection and cyber security strategies, as well as for compliance with data protection regulations such as the DSGVO / GDPR.

But where is your data that is worth protecting?

Searching for data that is really worth protecting is for many already an almost hopeless maze. In fact, there are “only" two basic questions to be answered:

  • Which data needs to be protected?
  • Where is this data kept?

The first question is relatively simple to answer. Experience has shown that searching for the data is considerably more difficult. Many corporate networks have grown uncontrollably over the years and the amount of data worth protecting is increasing exponentially these days. Does this sound familiar? You need help with this. You can find out here how to find data worth protecting in the (data) jungle. But new communication channels (e.g. social media) or work related trends (home / mobile office and cloud) also create new risks of data loss.

Our tip: think about both historical and current data – be it on-premises centralised and decentralised, backup, cloud services, etc.

It is also advisable to perform a detailed analysis of cloud applications to ensure that outsourced office and file-sharing apps are included. Do you even know what cloud services your company is using? Because often it's not just those services that have been approved by the company. You can find out more about this in an earlier blog on "Shadow IT".

What do you do with sensitive data?

The next step is to classify the data according to its protection requirements and risk potential. A proven method is to classify the data into three categories: public, internal and confidential. This ensures a quick and easy rollout and keeps you on top of things. Check regularly to ensure that the data classification is appropriate, as a lot of data that initially requires a high level of confidentiality will lose the requirement over time, or data collection may need to be increased.

Clear guidelines need to be developed for dealing with the three categories. These policies govern the accesses and movements that are permitted for the different classes and roles and define binding instructions for data at rest, data in motion and data in use.

Pragmatic methods for preventing data loss

DLP is a core component of a cyber security strategy. To ensure that critical data is reliably protected, companies need to analyse and classify assets and to control access to regulated information with a policy-based approach.

Data Loss Prevention solutions, Network Access Control (NAC), Antivirus solutions, Information Rights Management (IRM) etc. are in fact indispensable tools for data protection. What is frightening is how often this risk is underestimated. Correspondingly, the proliferation of adequate protective measures is low. We hope that's not also true for you too…

If you are fearful that this is the case with you, here are some examples of best practice to help you. This will help you minimise the risk of data loss – even without a dedicated DLP solution.

  • Identity management and access control (IAM) based on the least-privilege approach
    Identity management is and will increasingly become a key competence. Those without access cannot delete or misuse the corresponding data. This is a logical conclusion, but many companies do not factor it in. A policy with minimum rights limits the data access of each user to what is absolutely necessary, task relevant minimum. The use of a policy like this also helps to minimise the risk of intentional data loss (in the form of abusive behaviour). In addition, an appropriate data access management solution can be used to establish an authorisation process that allows users to request access to folders or groups from the appropriate person. Permission to access can be given an expiry date so that access is automatically revoked at the end of this period.
  • Privileged User Management
    Separate privileged user access rights from system access rights, for example by using Jump System / Server / Station solutions. You can find out more about this topic in another blog article.
  • “Defence in Depth” security strategies
    The more layers of protection you can incorporate into your security architecture, the better. A layered defence within your architecture makes it more difficult for an attacker to access critical assets. Find out how to successfully build an enterprise security architecture in our white paper.
  • Cyber security on all endpoints
    There is no antivirus programme and no firewall alone that is capable of stopping an attacker or a malicious insider. However, protective measures like these can prevent less sophisticated attempts from succeeding, or at least limit the scale of the attack. Antivirus programs for e-mail clients can help prevent certain data leaks by scanning e-mail attachments for malware. Supplement Cyber Security on all endpoints by adding an Endpoint Protection Platform (EPP).
  • Encrypt information
    so that it cannot be read by unauthorised people. Specifically, encrypt data on mobile devices (for example with a Mobile Device Management & Security solution) used outside of the company, because these are exposed to a greater level of risk. As well as notebooks and USB devices, think about smartphones and tablets!
  • Don’t forget the Cloud
    Extend DLP policies to include cloud services by incorporating a Cloud Access Security Broker (CASB) to limit access to third-party cloud services (Shadow IT).
  • Detecting suspicious behaviour
    To prevent the leakage of data, any potential attempts to steal data must also be quickly detected and the breach contained. The period of time during which misconduct goes undetected is critical. Detection solutions with User and Entity Behaviour Analysis (UEBA) analyse user behaviour to detect potential data loss, whether it is an external attacker, an insider or an accidental breach.
  • Check security with penetration tests
    Penetration tests help you to test and review your security measures for any potential shortcomings. It also shows you how effective your DLP measures are in detecting different types of attempted intrusion.

In the age of digitisation, DLP is crucial

So it is clear now that dealing with confidential data is a major challenge. Data loss prevention is vital and undeniably has many advantages, but there are also challenges involved that companies need to be addressing. In one of the next blog articles we will describe in detail how you can set up a project like this and implement it through additional measures or a dedicated DLP solution. To make sure you don't miss out on this post, subscribe to our weekly blog updates!

Blog Update Subscription

Also, data loss prevention projects always affect the entire infrastructure and data inventory. That's why they are so complex. For this reason, practically it makes sense to involve external experts such as InfoGuard at an early stage. Our Cyber Security experts have the corresponding project experience and the latest expertise. You can rely on us to put an end to data loss!

Contact

Share article