An Approach to Effective Implementation of Data Leakage Prevention (DLP)

Data loss can be a devastating experience for individuals and businesses alike. It can occur due to various reasons, such as hardware failure, software corruption, cyber-attacks, or human error. Losing important data can have serious consequences, including financial losses, legal issues, and damage to a company’s reputation. Therefore, it is essential to have proper governance and measures in place to mitigate the risks of data loss and ensure that valuable information is being safeguarded while being available to the authorised people.

Data leakage prevention (DLP) is a security strategy to detect potential data breaches and prevent the unauthorized or accidental release of sensitive information. It helps prevent users from sending sensitive information or critical information outside the corporate network. The importance of DLP has only been made more critical with the trend of working from home today and the increasing importance to deal with cyberattacks.

DLP is a sub-set of Data Governance, hence implementing the DLP Program starts with defined governance processes which are supported by DLP technologies to realize the organisation’s objectives for protection of its data.

DLP technologies are deployed both in on-premises environments and as a cloud service. It is important to note that DLP is not a plug-and-play solution. A successful implementation requires significant preparation and diligent ongoing maintenance along with appropriate governance measures. These solutions work by identifying sensitive data, and then monitoring and protecting that data as it moves across the network.

Hence, DLP should be incorporated into an organization’s cybersecurity journey, rather than be just a pitstop to onboard DLP technologies.

Data is the lifeblood of any organization, and it must be protected as a data breach event can result in financial losses as well as losing trust of clients.

Organizations that are subject to data privacy regulations such as the Malaysian Personal Data Protection Act (PDPA) or the European Union (EU) General Data Protection Regulation (GDPR) need to have DLP in place to help reduce leaking of sensitive data. By providing alerts or blocking data transfer, and identifying where sensitive data is stored, unauthorized or accidental release of sensitive information can be prevented.

DLP is needed beyond satisfying regulatory requirements. It is also to honour the trust that clients have in us to safeguard their data.

As DLP is a sub-set of Data Governance, a good approach to implementing DLP is to start with Data Governance. Any organisation intending to implement DLP must have a Data Governance Structure so that there is a structure to deal with the frameworks, strategies and plans, policies, guidelines, procedures, etc.

This organisational structure is required to appropriately classify data into different levels of sensitivity, the risk due to the data being available to unauthorised parties, and the processes to be implemented to reduce the risk to a level acceptable to the organisation. The structure can also help define the accountabilities and responsibilities for managing an organisation’s data as well as sensitive data which is in the organisation’s custody.

A well-known framework for data governance is the Data Management Association International (DAMA) called the DAMA Common Body of Knowledge (DMBoK). The DAMA Data Management Body of Knowledge is a comprehensive guide to the field of data management, containing chapters on every aspect of the discipline.

Once the appropriate governance and processes are defined then the organisation would be able to consider the DLP technologies which best support the organisational objectives. The data governance processes and hence the DLP technologies must be able to protect the organisation’s sensitive data in three primary areas such as:

• Data-in-use (being worked on).
• Data-in-motion (when it is being shared through various mediums of communication).
• Data-at-rest (in storage).

There are several DLP solutions in the market which have different modules to cater for different data types as well as data in the cloud. In addition, there are related technologies which can extend data protection to other channels such as mobile devices which are traditionally not a part of DLP solutions.

Once the basic DLP technologies have been implemented, as a next step, technologies such as encryption and digital rights management can also be considered to further extend the data protection beyond the enterprise’s systems as the traditional DLP technologies are limited to the protection of the data up till the boundaries of the organisation’s systems. Another complementary technology that is useful is for classifying and labeling the organisation’s data.

Very importantly, the implementation plan must also consider how to manage change as the implementation of DLP will affect all the users of the organisation hence there is a significant change that has to be managed for the DLP to be effective.

As data permeates every aspect of our life and as criminal agents find it lucrative to exploit the value of this data, the need to protect this data becomes more and more evident. The urgency of measures to protect your data properly cannot be overstated.