10 Ways Data Loss Prevention Benefits Your Company

 This article was originally published September 2021. Updated April 2024.

What is Data Loss Prevention (DLP)?

Data loss prevention (DLP) is a broad term for a set of software, procedures, and other tools used to protect sensitive data. DLP software is used to identify confidential data and ensure that it’s properly encrypted and transmitted. “Confidential data” can vary depending on your business. It can include sensitive customer financial data, personal information covered by GDPR, or health information covered by HIPAA, among others. This data must be protected not just in storage but also when it’s being transferred or used. Because of the broad scope of this kind of data, DLP software usually relies on multiple components, or a complete suite, to detect breaches. Attempted breaches, or suspected attempts, can be escalated to human personnel for further review.

A basic example of DLP in action is the password policy for your mobile banking app. Passwords are required to have a certain number of characters, typically at least eight. They’re also usually required to contain some combination of letters, numbers, and symbols. If you try to create a shorter password or one without the required combination of characters, the app won’t let you. From the developer’s perspective, it’s automatically redirecting user behavior to ensure compliance with security best practices.

Of course, DLP in the real world is often more complex than simple password requirements. If you’re handling valuable customer information, trade secrets, or other sensitive data, you’re potentially exposed to infiltration from organized criminals, foreign governments, and even corporate rivals from countries that don’t mind corporate espionage. You’re also exposed to risk from human error, like the Royal Navy officer who left his laptop on a train, along with personal data on over 600,000 British sailors.

The potential costs are not trivial. The 2017 Equifax data breach cost the company almost $2 billion , an expense that would send most companies into bankruptcy. A 2013 breach of Yahoo’s systems exposed the personal information associated with more than 3 billion accounts . We’re about to discuss how data loss prevention helps prevent this kind of disaster.

Data Loss Prevention Basics

DLP relies on an array of tools to prevent data from getting lost or hacked. An intrusion detection system, for example, can be used to protect specific sensitive files. A firewall can be used to prevent access to a system or entire network from unauthorized users. Antivirus software can patrol systems within the network to look for suspicious files and programs. And none of these tools are fully effective without the right policies in place surrounding their use.
For this reason, many companies are now employing a Chief Information Security Officer (CISO) to oversee DLP and data security practices in general. The CISO is a C-suite executive who reports directly to the CEO, which underscores just how seriously companies are taking their data security.

How Does Data Get Lost?

So, how does data loss happen? There are several common causes, but here are the three most common:

Insider attacks

These attacks come from inside the network. They occur when someone inside the organization “goes rogue” or, more frequently, when an attacker gains access to an account.

Outside attacks

Attackers may use phishing and other techniques to install malware on network computers. Once inside, the malware looks for sensitive data and transmits it back to the attackers. Learn more about phishing by reading the post below.

 

Accidental leaks/human error

People make mistakes, including competent, well-salaried people responsible for sensitive data. For example, an HR executive might mass-email a spreadsheet with unredacted employee Social Security numbers instead of the redacted version.

Essential Components of Data Loss Prevention

To be effective, a DLP system needs to be able to perform several tasks. These include:

1. Securing data in storage

Ensuring that stored data is encrypted, and that encrypted storage is connected to the network in an approved fashion.

2. Securing data in transit

Monitoring secure data as it travels through the network to ensure it’s only accessible to approved users.

3. Securing data in use

Monitoring sensitive files to detect and prevent unauthorized use. For example, preventing sensitive files from being copied to removable storage.

4. Securing network connections

By monitoring network connections and endpoints, DLP software ensures that data is not inadvertently transferred off the network or onto an unauthorized machine.

5. Data identification

DLP software needs to determine what data is sensitive and what is not. This can be done manually, by a set of user-defined rules, or via an algorithm or AI.

6. Data monitoring

DLP systems monitor network traffic to look for unusual or suspicious connections. These connections and data transfers might indicate a breach, and the data is escalated to a human employee for follow-up.

10 Ways Data Loss Prevention Benefits Your Company

 So, how does data loss prevention benefit your company? Here are ten ways.

1. You Gain Real-Time Visibility Into Your Data

DLP technology allows your IT department to view the flow of your data in real-time. This might sound expensive at first, but consider the alternative. Without the right software in place, your security staff would need to constantly search manually for sensitive files and move or encrypt them as needed. This simply isn’t practical at any kind of scale. At some point, your information security needs to be as automated as any other aspect of your business. By viewing your data flow in real-time, you not only build a more secure network, but your IT staff can even use this information to identify inefficiencies that are costing you money.

2. Your Organization Needs a Plan For Internal Threats

We’d all like to think that the main threat to our data is external. The bad actors are “out there,” somewhere in the wild, and as long as you’ve got a good firewall, you’re safe, right?
If only that were the case. According to a 2021 Verizon report, over 20% of data breaches result from insider attacks. In most cases, the motive is financial; someone is selling customer information or trade secrets on the black market. In far fewer cases, the motive is personal; someone is angry because they didn’t get promoted, were denied a raise, etc.
Regardless of motive, insider attacks are among the hardest to detect because the activity often looks legitimate. Someone is accessing sensitive data using the proper credentials, often from a company computer. Good DLP practices can help to limit this threat. For instance, you can prevent files from being transferred to thumb drives or lock out a computer instantly when suspicious behavior is detected.

3. Breaches Cost More the Longer They Go Undetected

Data breaches can spell doom for any company that experiences one. Whether due to fines, the loss of customers, or reputational damage, 60 percent of companies go out of business within six months of a data breach being identified. But breaches cost more the longer they go on. If detected early, your business may only suffer minor damage. For example, when a Boston hospital employee lost a laptop with information on nearly 2,000 patients, they promptly reported the breach. The result was a $40,000 fine and some bad publicity. This is not a perfect result but is hardly backbreaking for a major city hospital.
Unfortunately, not all breaches are detected this quickly. According to a 2019 Ponemon Institute report, the average data breach remains unidentified for 206 days. At that point, the average cost is twice the cost of a breach that’s detected immediately. This only makes sense. The longer a breach is unidentified, the more opportunities hackers will have to abuse that data or harvest more. For example, if your bank loses 500 customers’ account numbers, you can notify those customers and issue them with new accounts. But if you lose 5,000 account numbers over the course of six months, and many of those numbers have been used by fraudsters, you could be liable for millions of dollars in losses.

4. DLP Helps You Stay Compliant

A few years ago, data security was a lightly regulated area. As long as you were comfortable with your level of exposure, you could be as strict or as relaxed as you want to be. But new regulations like the European GDPR and the New York Cybersecurity Requirements are putting best practices into writing – and enacting penalties for organizations who fail to comply.
With more and more data being stored in a digital form, it’s become impossible for companies to comply with the use of human labor alone. There are simply too many files being written and accessed too frequently for even the largest IT departments to manage the task. DLP automates the compliance process, so you don’t have to worry about hefty fines.

5. DLP Reduces Your Exposure From Third-Party Devices

Allowing employees to use their own devices for work can be a great cost-saving measure. In fact, it’s so popular that it even has a name: bring your own device, or BYOD. But BYOD policies aren’t without their risks. If malware is installed on an employee’s device when it’s not on the network, that malware can infect your organization the next time the employee comes to work. DLP systems have special protocols in place to protect you from these viruses.
There’s a newer, similar threat that companies need to be aware of. Internet of Things, or IoT devices, are often not as secure as the other devices on your network. In many cases, hackers can use an IoT device, like a WiFi speaker, as a back door to gain access to your data. DLP software keeps this from happening.

6. You Can Monitor Your Employees

We’ve already touched on the risk of insider threats to your data security. In addition to preventing suspicious activity, DLP software allows you to monitor it as well. The software can generate reports of unusual behavior and send those to your security team. In most cases, it turns out the behavior was well-intentioned; for example, an employee emails a document to their personal account so they can work through the weekend. That might be cause for retraining, but it’s something any good employee might do. Alternatively, it might turn out that the employee was trying to steal data. In that case, your team can gather evidence so the employee can be terminated.

7. You’ll Be Protected from Cloud-Based Threats

Nowadays, we rely on cloud-based applications more than ever. Whether it’s holding meetings via Zoom or sharing files on Dropbox or Google Docs, much of that data isn’t actually being stored on company servers which helps cut costs. Still, it’s counterproductive when unencrypted sensitive data gets out into the wild. DLP software can be integrated with cloud-based applications to deal with confidential data. Sensitive information can be redacted; the files can be encrypted or blocked from cloud transfer altogether.

8. You Can Monitor Your Endpoints

The main risk for any network is at its endpoints – anywhere data is transferred between the company network and the broader web. Inside your network, you control your data. Once that data leaves the network, it’s “in the wild,” and you can no longer control what happens with it. DLP software monitors your endpoints, including physical endpoints like workstations and virtual endpoints like outgoing and incoming email. This stops many forms of harmful activity before they even start.

9. You’ll Spend Less on IT

There’s an old saying that you need to spend money to make money. DLP systems can be pricey to purchase and implement. But once in place, your company will save massive amounts of manpower. This means less money spent on IT staff and more money for profitable parts of your business.

10. Your Customers Will Trust You More

By taking proactive steps to protect your data, you aren’t just shielding yourself from fines and liability; you’re also doing your job as a company to keep your customers’ information safe. This gives you something far more valuable than any short-term expense: people’s trust. No matter what business you’re in, trust is the most important currency of all.

Get Started on Your Data Loss Prevention Journey

Backup and disaster recovery is just one of the services we offer at Edge Networks. If you’re interested in learning more, contact us today . We take the time to understand your unique business needs and customize solutions to meet them, and we deliver technologies that boost productivity, performance, and business growth

Data Loss Prevention: How to Protect Your Data When Disaster Strikes

Data Loss Prevention: Preparing for a Rainy Day

One of the most terrifying experiences for a business executive, employee or IT administrator is when data loss has occurred. Perils can come from many places and it’s important to know where they come from.  Knowledge is the first step to preventing this tragedy. We will go over why data loss occurs, how to recover if disaster strikes, and how to start prevention right now.

 

Top 5 Causes of Data Loss

What are the main reasons your data is at risk?

1. System Malfunctions

This is the leader in data loss. Hard drives fail. Power goes out without warning. Computers are complex machines with millions of points of failure

 

2. Human Error

Human error continues to be one of the leading causes of data loss. Whether is it from accidental file deletion, failure to backup data, or losing a device, humans are, well, human. Accidents happen. 

 

3. Software Errors 

Who doesn’t remember working on an important document or presentation only to run into tech problems where the software freezes and the work is lost? It has happened to the best of us. 

 

4. Computer Viruses and Malware

Viruses and malware can wreak havoc on computers and files. From ransomware encrypting data to viruses like ILOVEYOU destroying files, daily risks abound. 

 

5. Natural Disasters

Fires, floods, earthquakes or wind. These are the most uncontrollable cause of data loss, but fortunately are also the least frequent. 

 

woman upset about data loss

 

Proper preparation for these inevitable events allows for business continuance and peace of mind. Let’s take a look at some commonsense ways to keep your business going when lightning strikes.  

 

Matters of Metrics

When considering the best approach for backup and disaster recovery, it is important to understand what is being protected and the criticality of the data involved. This is where Recovery Time Objective (RTO) and Recovery Point Objective (RPO) need to be understood.   

 

Recovery Time Objective (RTO)

RTO is the duration of time it should take to restore all applications and systems after an outage. RTO is usually measured starting from the moment an outage occurs rather than when the IT team starts their restoration efforts. Simply put, the moment of the outage is when the users and clients were initially impacted.  

 

Critical questions to consider when determining your Recovery Time Objective (RTO):  

 1. How long can your business afford to be down before a negative impact, be it revenue, reputation, or another critical metric, is observed?  

2. What is your budget for restoration services to occur?  

3. What tools, process and resources are needed to meet the objective?  

 

Recovery Point Objective (RPO)

RPO defines the point in time to which you will restore your data after a disaster. It limits how far to roll back your recovery and defines how much data your business can afford to lose before affecting productivity, revenue, and reputation.  

 

Critical questions to consider when determining Recovery Point Objective (RPO):  

 

 1. How often does your business data change? Is it high transaction data or mostly static content?  

2. What type of backups are being performed?  

3. What are the storage requirements to meet this objective?  

 

Down to the Basics

Once you have determined your RTO and RPO, you can start to plan out your strategy.  Let’s start with the three basic types of backups; Full, Incremental, and Differential. 

 

Full Backup 

A full backup is just as the name implies. It is a total backup of everything. While it is good to have a full backup, it also takes the greatest amount of time to perform or restore, not to mention the amount of space it consumes. If you determine your RTO is short, then using a full backup daily is not a good choice. Conversely, if your RPO is weeks or months, then you will likely depend on full backups.   

 Typically, only a small percentage of the information in a partition or disk changes daily, or even a weekly basis. For that reason, it makes sense only to back up the data that has changed daily. So, what’s the balancing point? That’s where the other backup types come into play. 

 

Differential Backup 

A differential backup backs up only the files that changed since the last full backup. For example, if you do a full backup on Sunday then Monday you back up only the files that changed since Sunday, on Tuesday you back up only the files that changed since Sunday, and so on until the next full backup.   

Differential backups are quicker than full backups because so much less data is being backed up. It is a better choice for shorter RTO and less attractive for a longer RPO. The amount of data being backed up grows with each differential backup until the next full back up so the storage requirements can become substantial over time. 

 

Incremental Backup 

Incremental backups also back up only the changed data, but they only back up the data that has changed since the last backup — be it a full or incremental backup. If you do an incremental backup on Tuesday, you only back up the data that changed since the incremental backup on Monday. The result is a much smaller, faster backup. They are a good choice for meeting an aggressive RTO but not good for a long RPO. The characteristic of incremental backups is the shorter the time interval between backups, the less data to be backed up, so your storage needs are lower than full or differential backups. 

While incremental backups give much greater flexibility and granularity for restoration, they have a reputation for taking longer to restore because the backup has to be reconstituted from the last full backup and all the incremental backups since. 

 

laptop backup photo

Backups, the Next Generation

If your head is hurting just thinking about the complexities of backup strategy and execution, you are not alone. Doing backups used to be so complex that there was a dedicated position in most companies just to keep it all on the rails. Even then, there were problems. Broken or old tapes and disks added to the headaches of being confident about your strategy. Employees had to make sure their files were closed during the backup window. Periodic recovery testing would take entire weekends to complete. It was a mess. 

Enter the next generation of backup. 

Modern backup strategies employ advanced software, hardware and cloud services that simplify things, A LOT.

Snapshots 

Most backup software available today uses snapshot technology to create a point-in-time copy of the data. Typically, the snapshot copy is done instantly. The original copy of the data continues to be available to the applications without interruption, while the snapshot copy is sent to an on-premises or cloud-based storage location. 

Snapshots provide an excellent means of data protection. The trend towards using snapshot technology comes from the benefits that snapshots deliver in addressing many of the issues businesses face. Snapshots enable better application availability, faster recovery, easier backup management, reduces exposure to data loss and virtually eliminates the need for backup windows while lowering total cost of ownership (TCO). Snapshot technology allows businesses to meet most any RTO and RPO goals. The cost of this technology is typically higher than traditional methods because of the storage requirements involved. 

 

Continuous Data Protection 

Continuous data protection (CDP), also called continuous backup, refers to backups of data when a change is made to that data by automatically capturing the changes to a separate storage location. CDP effectively creates an electronic journal of complete storage snapshots. 

Continuous data protection is different from typical snapshot implementations because it creates one snapshot for every instant that data modification occurs instead of one point-in-time copy of the data created by other methods. CDP-based solutions can provide fine restore granularities of objects, such as files, from any point in time to crash-consistent images of application data, for example, database, filer and mailboxes. 

Validation of successful snapshots is often accomplished by actually starting and testing the machine image taken. This offers an unparalleled level of confidence in the integrity of your backups. 

There is no “one size fits all” approach for data loss prevention, and some things are worth more than others. There is a myriad of companies that offer backup software and services. It is highly recommended that you work with a trusted technology professional to assist in your selection so that you can achieve a balance in performance, costs and recovery objectives.  Contact us today to schedule a free, 30 minute consultation, or take our free, self-guided IT Security Risk Assessment.