Historically, data loss prevention was all about locking your network down and restricting access. It was a logical approach at the time, but doesn’t quite cut it in today’s environment where, (for example), 17% of incidents reported to the UK ICO relate to data being emailed to the wrong recipient.
Clearly, our new, collaborative world requires data governance and protection that is both more advanced and more granular. As a result, most DLP strategies have shifted towards DLP applied at the data level. This enables automatic protections that can prevent sensitive data from leaving your network at all, limit its egress to authorised devices, or encrypt it for decryption by authorised devices only.
There are more reasons to reassess your data loss prevention strategy than simply minimising the likelihood of an embarrassing breach, however. In today’s rapidly advancing environment, where big data trends like AI are reshaping the business landscape, a solid DLP strategy can be the key to enabling the next level of productivity and collaboration.
The key to a good Data Loss Prevention overhaul
The good news is that if you already have Microsoft E3 or (ideally) E5 licencing, the tools to reimagine your DLP strategy are already at your fingertips. The challenge lies in bringing the business together to make decisions on implementation and rollout – something that, historically, would have been left to the IT team, alone.
This is one of the biggest differences between old and new approaches to DLP. Achieving the kind of integrated granularity that makes modern DLP so successful requires collaboration from teams across the business – including users, risk, and compliance. Input from these business functions is crucial, not only to ensure data is correctly identified and classified, but also to drive engagement and build the long-term culture change of data governance being everyone’s responsibility.
Just as the entire organisation should be aware of phishing attacks to avoid clicking on suspicious links, so too should everyone understand the risks of data loss, and their role in protecting, managing and governing data.
8 tips to take Data Loss Prevention from strategy to reality
- Gather relevant stakeholders from across the business. This builds engagement and ownership for data, contributing to successful long-term culture change.
- Identify, prioritise, and classify your data. (With an E5 license there are opportunities to automate this process using powerful machine-learning tools, making the solution truly scalable for large organisations.) It’s as important to understand when your data is at risk as it is to understand where your data is at risk. Your “crown jewels” may be well-governed/protected within a specific system, but are there scenarios in which they may be emailed within the company or shared amongst business units? Different use cases require different protections.
- Encrypt. Identify which data should be automatically encrypted.
- Enable access controls. Identify which users should have access to which data.
- Monitor. Test how your controls work by monitoring data access post implementation and make the necessary adaptions/improvements to ensure controls don’t hamper productivity.
- Communicate and educate. Take your users with you on your data governance journey, helping them understand the risks, controls and responsibilities they have.
- Ongoing auditing and incident response. Keep a watchful eye to ensure your solution is doing what it’s supposed to and adapt as necessary.
- Start small. Pick one business area with a specific type of sensitive data. Test, pilot and roll out a DLP solution and then move on to the next business area/type of document/data.
We can help
If you’re struggling to make headway with your DLP strategy, our security, risk and compliance experts can be an invaluable asset to your team. From facilitating the right conversations to identifying the best combination of controls to achieve your desired outcomes, we’ll have your DLP journey on the road before you can say “data leak”.
Find out more about our compliance services, or get in touch.