It is easy to see how employee access to the Internet can lead to data loss, so many organizations start by deploying DLP on the network, enabling them to establish policies, monitor network traffic, accurately detect incidents and to proactively block inappropriate transmissions. With DLP technology in place on the network, these organizations are able to immediately reduce the risk of losing data in transit.
Companies also want to gauge their level of exposure across their internal systems in order to improve access controls and meet compliance requirements. Using the same policies as on the network, DLP solutions can also look for confidential data wherever it is stored, scanning a wide range of data repositories to discover things like executive salaries, personnel files, contracts and transaction records. When such data at rest is found, it can be automatically moved to a secure location or encrypted based on policy.
Network- and storage-centric DLP solutions significantly reduce the risk of data loss due to inadvertent employee behavior and broken business processes, the causes of 95 percent of data loss incidents. Next, companies often turn their attention to the small percentage of breaches caused by malicious insiders. DLP capabilities are extended to preventing data from being copied to removable devices or downloaded from servers in violation of policy. Endpoint DLP enables organizations to identify sensitive information on laptops and desktops and stop it from being copied to USB drives and iPods, or burned to CD/DVDs. With DLP capabilities at the endpoint, organizations are now able to reduce the risk of losing data in use.
Today, the most advanced DLP offerings are available as integrated solutions that combine both endpoint and network-based software to protect confidential data wherever it is stored or used. These solutions leverage a common foundation with the same policy management, detection, incident response workflow, and reporting capabilities across network, storage, and endpoint systems. This unified approach to enforcement enables the organization to write a policy once and automatically enforce it throughout the enterprise.
Automated Policy Enforcement and the Human Factor
Being able to automatically enforce policies is a big key to the value of DLP. It gives you the ability automatically route an email to an encryption gateway, for instance, or move an obsolete file containing sensitive data that has been left exposed on a file system—all based on policy.
One of the most overlooked benefits of DLP is its ability to reduce risk by strengthening what has long been considered the most vulnerable element in any organization—its people. Virtually all data breaches involve people and the processes they follow, or don’t follow, when handling information. The vast majority are caused by people who are either unaware of policy or are simply following a business process that is not secure.
Either way, DLP protects the data according to policy and prevents its loss. But it also goes a giant step further and remediates the incident by notifying the employee of his or her error in real time and then suggesting corrective action. Such on-the-spot correction can not only change the behavior of the employee but it can also have a positive impact on the behavior of others with whom the person interacts.
It works. In fact, one Fortune 100 company noted a 90 percent drop in data loss incidents just 10 days after turning on the automated user notification capabilities within DLP.
Standalone vs. Feature
As organizations increasingly turn their attention to the challenge of preventing data loss, many are asking whether DLP is most effective as a standalone solution or as part of a broader suite of security products. The answer is yes, there will continue to be a market for standalone DLP, because data loss is a pressing problem that demands a targeted solution—one that leverages a common foundation with the same policy management, detection, incident response workflow, and reporting capabilities across network, storage, and endpoint systems.