Data Loss Prevention – Best Practices and Common DLP Mistakes

Businesses today generate astounding amounts of data just to run everyday functions and keep up with their competitors. Over the last decade, the world has experienced explosive growth in data on a scale that would have seemed unfathomable in the past. To put into perspective just how much data we're talking about, consider the latest data from the IDC's Global DataSphere study. The IDC estimates that global data creation and replication will reach an eye-watering 181 zettabytes in 2025, up from 64.2 zettabytes in 2020. One zettabyte is the storage equivalent to 30 billion 4K movies.  

However, while this explosive growth has undoubtedly supported rapid technological expansion, it comes at a cost. The more data you have, the more information you need to protect and manage. And failure to safeguard data leads to costly data breaches.  

No business, regardless of size, is immune to data breaches. With this in mind, preventing data loss or leakage is now a vital priority for modern businesses. Cybersecurity is no longer a like-to-have; it's a must-have. This is where data loss prevention (DLP) strategies come in. A DLP strategy aims to improve information security and protect from data breaches by utilizing a combination of robust tools and policies.  

To implement a DLP strategy that successfully keeps the business's network safe from bad actors, companies need to know what to focus on and how to avoid common pitfalls.  

Best Practices for Successful DLP Strategies 

Protecting the Most Sensitive Data First 

Not all data is equally sensitive or important. For example, intellectual property like trade secrets, blueprints, upcoming patents, and other intangible assets can be crucial to your company's success, while this week's PDF menu for the cafeteria is not. Equally, some employee and customer data are more sensitive than others. For example, Social Security Numbers (SSNs), credit card information, taxpayer-identification numbers deserve more protection than linkable (but not identifiable) information like gender or non-specific age (20-30 instead of 25).  

Companies should determine the specific information they want to protect first. A sound basis for criteria is any information that presents the most significant risk to the business if exposed or locked in the case of a ransomware attack.  

Classifying Data 

After identifying the most sensitive and critical data in your company, it's a good idea to classify all other data. By evaluating risk factors and sensitivity, you can begin to implement a comprehensive information security strategy.  

The first step in classifying data is determining where all your data resides. For example, how much and what kind of data do you have in databases, cloud storage, email, shared network drives, and so on.  

Utilize Automation and Anomaly Detection 

Manual processes are time-consuming and worryingly vulnerable to human error. By contrast, by choosing a DLP solution that utilizes automation, you can apply processes more broadly and accurately across the organization. Additionally, many DLP solutions today use machine learning and behavioral analytics to identify unusual activity. This allows the company to establish several baselines for "normal" activity rather than broadly applying rules that don't apply to every user.  

Archiving Data 

You need to decide which data needs to be archived, when, and how those archives will be protected. It's critical to protect archived data from both external hackers and insider threats, like an employee with privileged access who could alter records.  

Determine the Policy on Deleting Data 

You don't need to save all your data, forever. A robust DLP should define which data needs to stay and for how long. You should routinely purge any expired or unnecessary data. Attackers can't steal data that doesn't exist.  

Assigning Appropriate Access 

Once data has been classified, appropriate access controls need to be implemented. For example, employees should only be given access to the data they need to do their job, regardless of seniority. Whaling attacks (a social engineering attack targeted at high-ranking employees) are often successful because higher-ups have privileges beyond their needs.  

Establish Metrics for Success 

Once you deploy a DLP, you need to monitor it against your criteria for success. For example, you should establish goals for Mean Time to Response, number of incidents, number of policy exemptions (temporary permissions granted on a case-by-case basis), number of false positives, and more.  

Common Mistakes to Avoid 

Not Getting Executive Buy-In 

Any effective cybersecurity policy requires the support of top-level executives. DLP policies don't exist in isolation but rather impact the business as a whole - every department and every employee. If the highest-ranking employees aren't invested in the strategy or don't see the benefits, it becomes difficult to successfully roll out a comprehensive DLP strategy.  

Wasting Space on Useless Data 

Storage becomes cheaper every year, but that doesn't mean the cost is insignificant. Beyond cost, storing and creating backups of unnecessary data can make your backup tools run less efficiently or even malfunction, which may then harm the backup process for more crucial data.  

Not Investing in Employee Education 

According to an IBM study, human error is the primary cause of 95% of data breaches. Here, human error means unintentional or non-malicious actions that result in cyber-attacks. There are many different types of human error but one high-profile example from recent years is the 2017 WannaCry ransomware attack. This attack impacted hundreds of thousands of computers globally and caused widespread financial losses. Microsoft had already patched the exploit used in the attack many months before, but the affected computers didn't have the update installed. Why? Because users hadn't downloaded the latest patch.  

Storing Backups in the Same Location as the Original Databases 

While this mistake is becoming less common with the rising popularity of cloud-based backups, it's still something to consider. Many companies use local backup systems to store copies of their mission-critical data, but this is hugely risky. If your backup is stored in the same location as the original database, it experiences the same risks and threats.  

Final Thoughts 

Data is the lifeblood of modern businesses, and as such, data loss can have devastating consequences, both financially and to reputation. With this in mind, deploying a robust data loss prevention policy is the best way to protect your systems from cyber threats.