Data Loss Prevention: Best Practices for Enterprises

We recently surveyed 600 senior enterprise IT and security professionals, to see how they rate their current security and compliance risks. 59% of those polled cited data loss as one of the “risks of greatest concern in digital technologies.” Little surprise that enterprises are so keen to implement data loss prevention best practices, and protect their sensitive assets from bad actors.

However, the cloud channels that drive modern business present special challenges to any data loss prevention strategy. Faced with these challenges, many services allegedly protecting against data loss don’t offer prevention at all. They offer the cyber version of closing the barn door once the horse has already bolted. These services only help in finding or recovering sensitive data.

To implement a data loss prevention program that offers true prevention, enterprises need to implement a set of best practices. Above all, protecting enterprises against data loss means embracing custom-built DLP technology that offers full visibility, as well as powers of detection and rapid action.

Survey: Read the full survey as respondents share how they are adopting
to new cybersecurity compliance risks and planning for the future.

The DLP Challenges of New Cloud Channels

Crowdstrike defines data loss prevention as "part of a company's overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration transmissions, and unauthorized use." This has a broader, more encompassing scope than data leakage prevention, which is mainly focused about preventing data from flowing out of the organization into the hands of an illegal party.

This sounds simple enough. However, the key problem today is that breaches, exfiltration, and insider threats manifest on channels that escape traditional security protocols: Social media platforms, messaging apps like WhatsApp and WeChat, and collaboration platforms like Slack and Teams.

For example, a large Brazilian company recently approached our team seeking help. They use WhatsApp for their customer communications, and an incident had occurred. One of their employees had accidentally hit send on a message that contained an entire CSV file full of customer data! This wasn't intentional. It was a clipboard error. The file just happened to be the last thing the employee had copied before opening WhatsApp. However, the error was embarrassing and potentially costly.

This mistake could only happen because the company had no capacity to detect sensitive files being sent in WhatsApp . Their security team had no way to see into the application. They had no visibility. They could advise on data loss prevention best practices and urge staff to be careful, but they had no system that could actually prevent human error.

This same problem exists with collaboration tools such as Slack and Microsoft Teams. These platforms employ two-factor authentication (2FA) and other measures that protect entry to their environments. However, all this security applies only at the entrance. Within the platform, companies routinely discuss trade secrets and other confidential data. Accidentally or otherwise, an employee could post malicious content, such as a link to a phishing portal. A former employee whose access isn't revoked could exfiltrate files without anyone noticing.

Whatever the cloud application, the DLP challenges of these new channels are rooted in two factors:

• The volume of human communication occurring on these platforms. In the average enterprise, thousands or tens of thousands of interactions per day is the norm. Any one of these could contain a data loss threat.
• The velocity of these interactions. Messages are exchanged at a lightning pace, and the possible risk of data loss is concealed in the rush.

These two factors combine to create an attack surface that companies can’t reasonably expect to monitor manually.

Blog: Read the blog on why attack surface management requires
securing both public and private digital channels

With Data Loss, Prevention Beats Cure

Faced with the threat surface of modern cloud channels, most DLP solutions generally fail to achieve the "prevention" part. Examine the messaging of many data loss prevention companies and you will see them talk a lot about how they can detect when your data has left your network. However, a real data loss prevention system would be one that stops the data leaving the network in the first place. To implement prevention rather than cure, you need to apply the right data loss prevention methods. Here are some best practices:

1. Define your DLP strategy's objectives

Seek out multiple inputs from your stakeholders to help you prioritize the most sensitive data sets and define your policies. Your data loss prevention strategy should answer the following questions:

• What sensitive data do you hold, and where are they stored?
• Who can access / is responsible for that data?
• What are the acceptable uses of that data?
• Where is your data allowed to go? Where is it not allowed to go?
• When a violation happens, how should people assume responsibility?

Once these questions are answered, one of the neglected data loss prevention best practices is to create a charter that details your DLP program's structure. This ensures order and accountability, and helps secure stakeholder buy-in. A charter also helps educate the entire organization on the deployment process, reporting structure, and response processes during data breaches.

2. Secure technologies that offer prevention, not just cure

Most data loss prevention companies don't differentiate data loss prevention from loss remediation. However, companies need the former. A truly effective data loss prevention system stops data from leaving your system by empowering security teams with visibility and immediate action.

An effective DLP tool will allow you to:

• Gain 100% visibility across all your cloud channels.
• Implement flawless powers of detection, so that any threats are detected immediately.
• Detain/quarantine attachments, documents, and messages that have languages indicating sensitive data within.
• Automate the entire detection, quarantine, and resolution process.
• Limitlessly scale your data loss prevention program to accommodate the growing volume and velocity of messages.

With a system like this, incidents are stopped before they can truly begin. If an employee sends a WhatsApp message that contains a sensitive file, the DLP tool can immediately detect that file. It will then automatically quarantine and lock up the document for review.

3. Educate your people

According to Verizon's 2020 Data Breach Investigations Report, human error accounts for nearly a quarter of all breaches. An automated DLP platform removes reliance on manual review, and reduces the possibility of damaging human misjudgment.

However, mistakes are always possible. Companies must thoroughly educate their stakeholders and employees on their data loss prevention strategy to ensure maximum protection.

4. Don't "set and forget"

Your DLP processes lead you and your people into action. This is why you can't simply "set and forget" your data loss prevention program. It is essential to provide continuous and ongoing monitoring, evaluation and improvements to your DLP program. Regular attack emulation exercises and program audits helps ensure that the program and the solution still works as it should.

Deploying these data loss prevention best practices will protect you against every kind of digital threat. To see how the SafeGuard Cyber solution can help you implement prevention rather than just cure, request a demo today.