Data Loss Prevention Best Practices
There are few companies nowadays that do not keep digital records. Everything from accounting to marketing and basic communication happens on a computer and over the internet. This also means that every company, no matter its size, collects data, some, such as personal information regarding employees, customers, or partners, highly sensitive and protected by law.
A wave of strict new data protection regulations around the world, spearheaded by the EU’s General Data Protection Regulation (GDPR), have made companies accountable for the data they collect and process in the eyes of the law, with hefty fines for noncompliance.
Failure to protect sensitive data can come at a high cost: in 2019, the Ponemon Institute and IBM Security estimated that companies lost an average of $3.92 million/breach in their Cost of a Data Breach Report. And while fines incurred for failures to comply with data protection legislation can have a significant impact, the biggest contributor to data breach costs was in fact lost business, with customer turnover increasing to as much as 3.9% in the wake of security incidents. Companies must, therefore, implement data protection strategies not only for compliance reasons, but to avoid the financial and reputational fallout of a data breach.
Data Loss Prevention (DLP) tools have become an essential part of these data protection strategies. Highly flexible and adaptable to any company size, DLP solutions can be tailored to different needs and support compliance efforts with new data protection regulations such as GDPR or the California Consumer Privacy Act (CCPA). They help organizations find, monitor, and control sensitive data as it travels in and out of the company network.
But what are some of the best practices companies should adopt when implementing DLP tools? Here are our recommendations:
Identify and monitor sensitive data
Data protection begins with data transparency. Companies must identify the type of sensitive data they collect, where it is being stored, and how it is being used by employees. DLP tools come with predefined profiles for sensitive data while also allowing companies to define new profiles based on their own needs.
By turning on data monitoring, companies can find out how data flows within and outside their network. It can help them discover vulnerabilities in data handling and bad security practices among their employees. They can thus take more informed cost-effective decisions when developing their data protection strategies and provide more effective training for their employees.
Implement a cross-platform DLP solution
Due to the rising popularity of Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies, many company networks are no longer running on a single operating system. macOS and Linux are slowly catching up with Windows and organizations should not ignore them when choosing their DLP tools. After all, while macOS and Linux running devices might be considered at a lower risk of an external attack than those using Windows due to their architecture, human error, which accounts for 24% of all data breaches, affects them all equally.
Cross-platform DLP solutions like Endpoint Protector offer feature parity between Windows, macOS, and Linux which means that sensitive data will have the same level of protection regardless of the operating system a computer is running on. It also allows for all endpoints on the company network to be controlled from the same dashboard.
Set up policies and test them
To control the sensitive data they identify, DLP tools offer companies a wide array of pre-configured-rules and policies that can be enforced across the company network. These can block sensitive data from being transferred via potentially unsecure channels such as messaging apps, file sharing, and cloud services. It can also limit who sensitive data is sent to by email. When it comes to data at rest, DLP solutions allow companies to delete or encrypt sensitive data when it is found on unauthorized computers.
It is important for companies to not only set up these policies and choose which best fit their needs but to also test them out to ensure that they get the desired results. These policies are usually customizable so organizations have the opportunity to improve them based on test results.
Control what can connect to a company endpoint
Data can be lost not only via the internet but also through the use of removable devices. USBs in particular are notorious for having been involved in major data breaches over the years, whether because of careless employees or when they were used as attack tools. Companies can use DLP solutions to block USB and peripheral ports on devices or allow only whitelisted devices to connect to them.
Enforced encryption can also be a way to ensure that, if a USB is being used, all files transferred to it are automatically encrypted and thus inaccessible to anyone without a password.
Set different levels of authorization
Access to sensitive data and its use should be limited depending on an employee’s duties and the group they belong to. DLP tools allow admins to set up different levels of authorization for users across a company network based on individual users, devices, groups, or departments. In this way, companies can ensure that employees who do not normally work with sensitive data have limited or no access to it while not hindering the work of individuals who deal with it on a day to day basis.
Set up a remote work policy for DLP
The COVID-19 pandemic has shown companies everywhere that they need to be prepared to take their business remotely in case of emergencies. However, many organizations invested heavily in the security of company networks which, once a computer is taken home, can leave the sensitive data stored on it vulnerable to breaches.
It is therefore important for companies to set up a remote work policy that includes DLP tools that will work outside the company network and whether a device is online or offline. In this way, they can ensure that data is continually protected, no matter where a company computer travels to.
Educate employees on DLP and data security
Finally, it’s critical that employees understand the need for DLP tools, the best security practices, and the consequences of a data breach. Companies can use the results of DLP data monitoring to design training that addresses the blind spots in employees’ data security practices. By offering relevant examples they come across in their day to day work, organizations can raise awareness over bad practices and help employees correct them by offering them clear instructions on how to act in these situations.
An understanding of the importance of DLP can also prevent employees from attempting to circumvent policies and instead report any problems they may be experiencing to admins who can then tweak DLP policies for higher overall efficiency.