One of the core areas to protect within a business is the data. Whether data belongs to the customer or the company, all information is classified under what is called a “data classification policy.” This policy allows management to determine the various data types present in an organization and what types of security controls are necessary to protect to prevent the risk of breach, theft, or fraud. Data can be classified as public, internal use only, confidential and secret, or proprietary. Any data falling under confidential or higher should be segmented or placed into areas which will make it extremely difficult for a hacker or a perpetrator to access it without proper credentials.

Data Loss Prevention (DLP), also referred to as Data Leakage Protection, is the strategy, software, tools, and processes that are developed to ensure that sensitive information is not lost, misused, shared, or circulated outside of a secure corporate network without proper detection and disclosure. Companies with robust DLP programs spend many years designing processes to protect data including encryption, quarantining through rulesets, and confirming access management controls are in place. It’s especially important to ensure that leadership has designed an effective Security Incident Event Monitoring (SIEM) process that identifies key security events are monitored, tracked, and investigated based on incidents detected during the course of the business day or after hours.
As insider threats rise and state privacy laws become increasingly rigorous, more companies are investing in data loss prevention tools. These software products automate the classification and protection of confidential information to prevent unauthorized users from sharing data – either accidentally, intentionally, or maliciously – which could greatly harm an organization from a reputational standpoint. For example, consider the restrictions or lack of restrictions on public cloud storage services like Box, Dropbox, or Microsoft One Drive for employees attempting to share documents inside and outside of the organization. The risk of allowing personnel to move files is that there is no audit trail on the types of data sent externally or information around the external threats that can be introduced into the environment when a non-supported device touches internal production. Another example of a popular data loss prevention tool is software that monitors for potential threats appearing in emails containing potentially harmful links attached to viruses, malware, spyware, trojan horses, and ransomware.
There are a variety of reasons data loss prevention is a critical component of a comprehensive security strategy:

  • Personal Information Protection / Compliance: Personal information – including personally identifiable information (PII), protected health information (PHI), or payment card information (PCI) – is subject to specific compliance regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Payment Card Industry Security Standards Council. The council was originally formed by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. in 2006 with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. If your organization collects and stores any data with these data classification types, you are required by law and regulation to protect that sensitive customer information by either performing a self-assessment for compliance or soliciting and external service provider to provide these services to identify any identified gaps to the current standards.
  • Intellectual property: If your company manages and houses intellectual property, it is extremely prudent to ensure that these types of data, normally classified as secret or sensitive, are segmented and protected at the highest levels within the organization. These data types are the highest risk to be compromised from perpetrators and external parties. Data falling into this category includes patents, trademarks, copyrights, and trade secrets. Our firm can assist businesses in classifying and segmenting data so there is a proper balance between spending proper resources on critical data types and reducing budget for less sensitive data types.
The significant emphasis in increasing and adopting data loss protection over the past few years has stemmed from a number of trends occurring in the business environment, including data breaches becoming more common in entities of all sizes, global regulations tightening data protection requirements in all industries regardless of size, the increased use of the cloud hosting and other third-party hosting services, and an increased need for available data and recovery time objectives for service providers.

Before a company implements a data loss protection strategy, proper research must be performed to ensure the provider meets the specific needs of the companies it serves in the supply chain. This includes establishing valuation criteria with the leadership team to define the policies, implementing standards and procedures to identify, categorize ,and protect company data, and determining the metrics and downstream analysis proving the initiative’s success and progress.