In 2018, I had a speaking engagement at FS-ISAC Chicago called Why DLP Fails. I was at an insider threat company at the time, and I posed some questions regarding DLP issues to the audience:
- “Show of hands: how many folks out there have had their organization saved by their data loss prevention (DLP) solution?”
- “What CISO out there has said, ‘We were going to be breached but our DLP product saved our bacon that day.’”
In a room with over 100 CISOs and security architects, not one person raised their hand. That was four years ago. Surely, things should have changed by now, right?
With all of the dramatic and transformational changes to the enterprise communications environment, it’s worth re-examining DLP solutions, their role, and their limitations in securing organizations. Cybersecurity is a dynamic arena, where risk changes, and our controls need to keep pace with them.
The DLP Dilemma
According to a study, 61% of companies have deployed DLP technologies, but only about one-third of IT security leaders are confident they work.
And who could blame them? About 80% of these organizations have faced at least one security incident in the past year. More than a third of US companies experienced at least three data breaches in the past 12 months. For businesses across the pond (Europe and UK), 22% of them have had the same experience.
Problem #1: DLP can work, but often requires tremendous resources.
DLP solutions take lots of resources to manage and maintain for new and emerging threats. DLP can live in multiple egress and ingress points within your organization. Yet, the fact that these solutions still haven’t had the impact or capability to prevent and block data loss is a startling failure. Moreover, the massive allocation resources is a pain to manage for security leaders in most companies, where teams are already overtaxed.
Problem #2: If it isn’t managed well, DLP impedes how end-users work.
One of the most prominent DLP issues that companies experience is disruption to natural workflows. Employees often complain about not being able to do work efficiently because of DLP protocols that hinder certain processes. For example, if employees are unable to easily move and share files that they're accustomed to sending -- especially to external vendors/partners -- they will find ways to do so. This can include, but isn't limited to, sending to personal accounts or devices in order to send the files to their end destination.
This can lead to employees effectively turning into hackers, as they find workarounds to simply get things done. I believe that most end-users in your environment know how to evade any DLP defense mechanisms today by using social platforms (Facebook, Twitter, LinkedIn) or unsanctioned apps (WhatsApp, WeChat, Telegram). Because of that, we get headlines like this one:
JPMorgan hit with $200 million in fines for letting employees use WhatsApp to evade regulators’ reach
Moreover, an internal communication over Slack at Twitter regarding Elon Musk’s desire to acquire the company was leaked over Twitter! Where was DLP on that one?
Problem #3: DLP can create lots of noise and false alerts.
A 2018 study revealed that DLP tools generate 81% of false positive alerts and only 4% are ever investigated. Unfortunately, it remains a problem until now. Research reveals that 25% of IT security leaders cite false positives as their biggest challenge with DLP solutions.
False positives, especially when they pop up frequently, are a huge distraction to IT security teams. False alerts draw attention and resources away from actual threats which, aside from being frustrating, can lead to more serious business risks.
New Environments, New Risks
Is DLP still a necessity in today's new cloud workspace? Can older technologies like DLP work for today’s communications environment? Experts are a little skeptical.
According to PCMag and Eric Griffith:
“The good news is that the number of individuals who were hit by security breaches in 2021 declined for the third year to 293 million, down from a record high of 2.2 billion in 2018. The problem is that the percentage of breaches that included the theft of sensitive data like Social Security numbers was up from 80% to 83% year over year, though that was down from 2017's stunning 95%.”
In hindsight, the rapid shift to multichannel environments is a challenge for DLP. The proliferation of endpoints and BYOD, and the expansion of cloud-hosted communication make traditional DLP difficult to manage.
“It’s hard to control 3rd parties in Slack and Teams, and endpoint DLP often doesn’t apply full control to cloud applications because the communications often are encrypted”
SVP of Security Operations
Agent-based, policy-driven solutions will miss emerging threats as they are reactive. This is especially true now that new multichannel attacks are targeting the end-user in new ways.
Addressing DLP Issues with the Right Solutions
DLP solutions are supposed to stop data loss, especially for number strings such as social security numbers. However, with the way technology is currently evolving, it takes more than protecting social security numbers to stop data loss.
Still, why would you allocate a budget annually for a solution that doesn’t protect you? The uncomfortable truth? It’s because without a solution, your organization is left potentially exposed, and no one wants to make that decision. Therefore, newer, more effective solutions are needed.
Companies need solutions that go beyond DLP, that can see multiple communication channels from email, to business chat, to messaging, and protect all of them. Moreover, new social engineering and phishing techniques call for solutions that can understand human languages, including context and intent. Finally, solutions that solve DLP issues should be able to determine how threat actors evade detection through social channels, as well as block them from infiltrating the multitude of channels that companies use nowadays.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.