Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

DLP Article, a focus on Data Loss Prevention (DLP). How to Eat an Elephant!

April 24, 2024

This article zeroes in on the vital topic of Data Loss Prevention (DLP). While past editions have tackled external threats like ransomware and phishing attacks, this month we're highlighting the importance of safeguarding your valuable data from both external and internal risks, here';s a quick rundown of key topics discussed:

  1. Understanding DLP: DLP encompasses a wide range of scenarios, from inadvertent data leaks to malicious breaches. Knowing the egress routes and potential threat parties is crucial for effective protection.
  2. Consequences of DLP Incidents: The fallout from a DLP incident can be severe, ranging from contractual breaches to legal and regulatory penalties, not to mention damage to brand reputation.
  3. Real-World Examples: Examples abound, from accidental email mishaps to malicious cyberattacks and inadvertent data exposures. These cases underscore the importance of robust DLP measures.
  4. Advancements in DLP Solutions: Early DLP solutions often relied on broad controls that impacted productivity. However, advancements in technology have led to more granular and contextual approaches, allowing for dynamic permissions based on various factors.
  5. Navigating DLP Solutions: The landscape of DLP solutions can be daunting, but there are options available to suit your specific needs, from simple email safeguards to comprehensive network controls.
  6. Taking a Tactical Approach: Even if a full-scale DLP strategy seems overwhelming, tactical controls targeting high-risk scenarios can yield significant benefits.

DLP Scope and Impacts

DLP covers a multitude of information loss situations, with the typical egress routes being:

  • Endpoints such as printer, Bluetooth, Wi-Fi, and USB/other attached media;
  • Email attachments, links and sometimes just the body of the email;
  • Websites used for file upload and sharing (web-based personal email services such as Gmail also come under this);
  • Cloud applications such as O365, SharePoint, Teams and the associated back-end applications.

The three main threat parties are:

  • Malicious Attacker
  • Accidental/Well-meaning User
  • Third Parties such as supply chain and contractors.

The consequences of a DLP incident include the following impact considerations:

  • Contractual: breach of Customer contract/agreement.
  • Competitive: information that would be beneficial to competitors and/or reduce profitability.
  • Brand: damage to industry standing and Customer confidence.
  • Legal: penalties, particularly those applied by the ICO (Information Commissioner’s Office) as a result of GDPR personal data breaches.
  • Regulation: loss of, or restricted, industry trading licence for regulated industry.

Some real-world examples of DLP breaches include:

  • Staff member accidentally emails sensitive contract details to an external recipient, rather than to the intended internal colleague, because they both had similar names.
  • Malicious cyber attacker gains access to the corporate network and copies volumes of data to the dark web, requesting a ransom payment to return and delete the files.
  • Local government body, uploads the personal details of vulnerable residents to its public-facing website in error.
  • Laptop is lost containing highly sensitive R&D reports.
  • User emails a SharePoint link of Customer details to the correct external party, however that external party then forwards the link to unapproved recipients.
  • Staff member moves jobs, taking a print-out of all key Client contract details.

The initial development of DLP included staff education, information policies and technical controls. These early controls, though, tended to be “blunt instruments” in either allowing or denying data access, which did impact productivity.

Contextually Based DLP

As time moved on, improvements were made to the granularity of control and so-called “contextual” data management was born. This context-based approach dictates dynamic permissions based on: the user, the sensitivity of the data, the location and the egress path. It is here that many organisations face the real-world challenges of understanding their own data, its ‘value’ and applying a uniform classification. The good news is that some solutions can audit the entire network storage, classify the data using automated recognition features, and some will go as far as using optical recognition to inventory non-textual information such as pictures and schematics. Additionally, there are technologies that can automatically redact information before it leaves the organisation and/or add watermarks to information (i.e. automatically add the users name, date and time), which act as an indelible marker to a document when printed, for example, which is very useful for data leak traceability.

There are a multitude of solutions that address Data Loss Prevention, which range from something as simple as preventing an accidental email addressed to the incorrect recipient, to complete network and end-point egress control. There are also technologies that assist with classifying and labelling data, as well as services to educate staff about upholding DLP polices.

Government and military bodies have a long history of adherence to Data Classification policies. Anybody who has watched a James Bond film will recognise the “Top Secret” label. However, applying this type of protocol to non-military situations can be cumbersome, problematic to maintain and expensive. As a minimum, you would typically need Data Owners, an Information Classification Protocol, an Information Risk Assessment process and an ongoing staff awareness regime.

DLP Strategy

If you are unable to fully embrace a comprehensive ideal-world Data Loss Prevention strategy, we recommend you first identify your highest-risk data scenarios, the so-called “worst-case” situations (what keeps you awake), or those data breaches that just keep reoccurring. With these understood, you can then apply some tactical controls to reduce that risk accordingly. As an example, with staff accidentally emailing sensitive data to the incorrect recipient, you may have tried asking them to be more diligent, and yet the issue persists. A solution would be to use a technology that can assess an email as it is drafted and then warn/prompt your staff that they are about to make an email-sending mistake if they continue. This is obviously a compromise on a full, head-to-foot DLP strategy, however it can bring some quick wins and mitigate against ‘repeat offender’ issues, as per the adage “how do you eat an elephant, one small mouthful at a time”.

We are happy to discuss Data Loss Prevention in more detail and answer any questions. With twenty-seven years of trading, we believe we are the longest-established, independent Cyber Security specialist. Hence, we are ideally placed to advise, assist and help.