Debunking the common myths of Data Loss Prevention (DLP)

Within the data security industry, Data Loss Prevention (DLP) has something of a chequered history. When it first came to market in 2004, it arrived to fanfare and great expectations, but as businesses struggled with the cost and complexity of deploying first generation DLP software, demand quickly waned. Fast forward ten years though, and the dramatic increase in big data breaches, coupled with much more appealing offerings such as DLP as a service, cloud functionality and advanced threat protection, means it is now firmly back on the security agenda.

Today’s DLP is sophisticated, automated and affordable. Despite this, some businesses are still wary of it. Why? This article will look at what DLP is, how it can benefit businesses of all sizes, and importantly, dispel some of the lingering myths about it DLP that are preventing some businesses from truly embracing it.

What is DLP and why do businesses need it?

In short, DLP is a set of technology tools and processes that ensures sensitive data is not lost or stolen from within a businesses network. It does this by actively scanning data throughout the network, identifying sensitive information that requires protection and taking the required actions automatically. These could include alerting users to their actions, displaying prompts and if necessary, blocking, quarantining, or encrypting data before it can be removed.

Historically, DLP has been most heavily utilised in regulated industries such as financial services and healthcare, where the penalties for data loss is severe. However, with businesses in all sectors storing more and more sensitive customer data on their systems, the need for DLP is now greater than ever.

Debunking the myths

At present, around 50 per cent of all organisations have some form of DLP in place, but Gartner expects this figure to rise to over 90 per cent by 2018, showing just how much importance will be placed on it in the next few years. However, in order for this level of adoption to be reached, some of the common myths surrounding DLP must be dispelled. Below are three such myths and explanations designed to debunk them once and for all.

MYTH 1: DLP requires significant internal resources to manage and maintain

While this was true in the past, new DLP options require no dedicated internal resources to manage and maintain. The introductions of automation and managed security services have eased what was perceived as the 'heavy lift' of DLP: hosting, setup, ongoing monitoring, tuning, and maintenance. Today, expert help can always be on hand for organisations that require it.

MYTH 2: DLP requires at least 18 months to deliver value

DLP implementations are no longer a 'big bang' that take up to two years to return measurable value. Organisations can see results in days vs months or years. Today’s DLP solutions are modular and allow for iterative deployment as part of a continuously evolving, ongoing data protection program.

MYTH 3: DLP requires policy creation first

Today’s DLP is not dependent on a policy driven approach to get started. Context-aware DLP allows you to deploy, collect information on data usage and movement, and then work with the business unit leader to define the right policies.

The resurgence of DLP

What was once the reserve of the largest enterprises and most-data dependent industries is now within reach of a much wider slice of the business world. This is timely, because there are more adversaries out there trying to steal data than ever before as well. From disgruntled employees looking for monetary gain, to professional cybercriminals and even state sponsored hackers trying to steal state secrets and disrupt critical infrastructure, the need for more robust security has never been higher. Couple this with an increasing amount of data moving online and unfortunately it’s just a matter of time until many businesses without the right defences in place experience a data breach.

While the growing number of malicious threats out there can’t be ignored (more on this later), many data loss incidents can also be accidental. For example, an employee may copy company documents onto a USB stick so they can continue working on them at home, only to accidentally misplace it somewhere en route. Without DLP in place this would represent a significant threat to the security of that data. However, with DLP in place the employee could either have been prevented from copying the data in the first place, or if copying was permitted, it would have been encrypted as part of the process to ensure its safety in the event of the USB stick being lost.

Defence in depth

What DLP brings to many existing security systems is defence in depth. Whilst a network approach would historically have been considered sufficient, once an attacker is in, they have free reign over whatever is inside the network walls. With DLP in place, even if the network perimeter is breached, the additional layers of security can severely restrict what the attacker is able to exfiltrate, if anything at all. Furthermore, by combining network security and DLP with further security measures such as advanced threat protection, businesses can make themselves extremely unappealing to all but the most persistent of attackers. After all, the past of least resistance is nearly always the preferred option for most criminals.

In summary, DLP represents one of the strongest lines of defence available for businesses looking to effectively protect themselves against the growing number of accidental and malicious threats out there. However, lingering myths and misinformation about aspects such as ROI, resourcing and policy are holding it back unfairly. It’s time the IT industry dispelled these myths once and for all, helping DLP to achieve it’s full potential as a cornerstone of modern data security.

Salo Fajer, CTO, Digital Guardian