Data Leakage Prevention: Resurgence of DLP
Data Leakage Prevention: Resurgence of DLP
Data Leakage Prevention: Resurgence of DLP
PREVENTION
Organisations handle a plethora of sensitive data, such as trade secrets, customer data, pricing lists, trading
algorithms and acquisition plans. This data can be leaked to unscrupulous competitors, organised criminal
groups and other entities via a multitude of channels, including email, the internet, portable storage devices
and cloud services.
Data leaks can be expensive, harm an organisation’s brand and reputation, and diminish trust. Customers
and shareholders alike expect organisations to take appropriate measures to properly safeguard their data
and investment. A successful data leakage prevention (DLP) programme can significantly reduce these risks.
RESURGENCE OF DLP To prevent the actual leakage of data, DLP tools need to
Interest in DLP technology quickly waned when it first came be carefully configured to block activities that put data at
to market due to the complexity of deployment, cost of risk. However, many organisations are reluctant to enable
investment, and inability to demonstrate business value. the blocking functionality for fear of disrupting business
However, cloud adoption, mobile computing and remote operations. This can limit the effectiveness of DLP.
working, coupled with major data breaches and new regulatory
requirements, such as the EU General Data Protection
NEED FOR A HOLISTIC APPROACH
Regulation (GDPR), have prompted organisations The full benefits of DLP can only be realised if organisations
to take a fresh look at DLP. implement DLP for clearly defined purposes and in a
structured, systematic manner that incorporates people,
Meanwhile, DLP technology has matured and is steadily process and technology. ISF Members reported that DLP can be
progressing towards a mainstream security control.1 a success when approached as part of a dedicated programme
DLP’s recent surge in popularity is reflected within the ISF for reducing the risk of data leakage.
Membership – to date, 42% of surveyed ISF Members have
implemented DLP and a further 45% are either running a Figure 1: Survey results of ISF Members who have implemented
DLP pilot or planning for deployment.2 a DLP programme
DLP CAPABILITIES
In today’s business environment, organisations handle a vast
amount of data that is increasingly easy to access and share,
and more vulnerable to leaking. DLP technology offers a set of
capabilities to manage the risk of data leaks – but it has some
limitations. 57% delivered return
72% achieved 72% demonstrated
objectives on investment risk reduction
For instance, DLP technology can only detect sensitive data in
a digital format and is used primarily to monitor conventional
channels of data leakage, such as email, the internet and Based on the experience of ISF Members, this report provides
USB. Although DLP technology is evolving to protect newer guidance on how to optimise a DLP deployment, describing
channels, it does not capture all types of sensitive data or the ten key attributes of a successful DLP programme. It
cover all conceivable scenarios of data leakage. emphasises that a focus on technology alone will likely lead to
the relegation of DLP tools to shelf-ware.
1 The enterprise DLP market is expected to grow at a compound annual growth rate of 16.28% between 2018 and
2023: Enterprise Data Loss Prevention Market – Industry Trends, Opportunities and Forecasts to 2023, https://www.researchandmarkets.com/research/npbpsp/global_enterprise?w=4.
2 Figures based on survey sample size of 147 ISF Members, correlated by ISF Security Healthcheck statistics.
1 What is data leakage prevention?
Data leakage prevention (DLP) can be defined as the practice of detecting and preventing the unauthorised disclosure of data.
Also referred to as data loss prevention and data loss protection, the main purpose of DLP is to ensure that specified sensitive
data is not leaked. It can also be used to help prevent data being mishandled or improperly accessed. DLP can be broken down
into the following three core activities:
IDENTIFY data to There are many different types of information that are valuable to organisations (known as information
protect against leakage assets) which need to be kept confidential (e.g. market strategies, payment card information, personal health
information, source code, product designs and employee data). Information may exist in digital, physical or
spoken formats.
MONITOR channels Digital data can leak through a variety of channels (also referred to as vectors) including email, social media
of data leakage and portable storage devices. Channels are monitored to understand data flows and detect activity that
indicates the leakage of data. Some channels can be difficult to monitor due to their nature (e.g. verbal
disclosure of information and printed documents left in an insecure location).
ACT to prevent data There are a range of actions that can be taken to stop data from leaving an organisation (e.g. alert users to
from leaking their risky behaviour, quarantine outbound email messages containing sensitive data, block the transfer of
data to portable storage media, and locate office equipment in a physically secure environment).
DLP tools and related technologies are used to help perform these core activities, which are illustrated in Figure 2 and explored
in more detail on the following pages.
– Personal data
– Customer data
Email Internet Removable Collaboration Cloud Database/
– Intellectual property media devices platforms File storage
Log Notify Block
– Business & governance data
+
– Financial data
– Sales & marketing data Printer/MFD File-sharing Camera Paper Clipboard Voice
applications
There are an increasing number of technologies, which are labelled as DLP that vary in their capabilities and perform different
aspects of DLP. The focus of this report is DLP tools, which are designed to identify data, monitor its usage and movement,
and take actions to prevent data from leaking. DLP tools (also known as enterprise DLP) are usually offered as a comprehensive
suite of products that cover multiple channels.
“DLP only protects what you tell it! Plan and understand the environment, have data classification
and know what it is you are trying to protect.” – ISF Member
As an alternative to using DLP tools, organisations may choose to utilise DLP functionality embedded into other security products
(e.g. secure web gateway, secure email gateway, email encryption and device control) or cloud-based services (e.g. Microsoft
Office 365). DLP offered as a feature of existing products (also known as integrated DLP) is typically restricted in capability and
may only protect a single channel.
Conditions instruct the DLP tool what data to look for and when to take action by defining the content to detect (e.g. type of data)
as well as the context (e.g. file type, file size, sender or recipient). When data matches the conditions, the system reports a policy
violation (also known in the context of DLP as an ‘incident’). DLP policy violations can be user or system generated (e.g. a finance
system emailing payslips automatically). Exceptions may be added to exempt certain data or activity from matching the condition
and triggering the rule.
Actions stipulate how the DLP tool acts to protect the content when the conditions are met (e.g. log the policy violation, notify
the user, encrypt a file or block copy of data to clipboard). Different actions can be applied depending on the level of risk, number
of matches within a given transmission or severity of the policy violation (e.g. transfer of 20 customer records versus 200 records;
internal versus external sharing of data).
A DLP policy can apply to one or more channels of data leakage. It need not apply enterprise-wide; it may be more appropriate to
limit its application to certain users, a user group or geographic region. Examples of DLP policies are shown in the table below.
Source code Detect content containing Allow transfer of data to Block transfers containing source code
proprietary source code company X, selected to conduct (including web postings, email messages
a source code review and copy of files)
Credit cards Detect content that matches None Quarantine data in cloud applications,
the credit card number, using files and messages:
a Luhn algorithm − send an email notification to the user
− allow the user to provide business
justification for release
Project penguin Detect content containing key phrase Allow transfer of data Block transfer of content to external recipients
‘project penguin’ and intended for to John Doe (external Encrypt email transmissions to John Doe
an external recipient legal counsel)
Medical records Detect content that matches words Exclude emails marked Block transfers including copy of health
or expressions from a list of common as ‘personal’ data to a portable storage device
medical conditions Display on-screen notification stating file
transfer violates a specific DLP policy
DLP policies can be created by using predefined templates or building custom policies. Most DLP tools provide a library of predefined
policy templates to detect data that is subject to regulatory requirements, such as the GDPR, the Payment Card Industry Data Security
Standard and the US Health Insurance Portability and Accountability Act. Policy templates may cover industry-specific data that adheres
to a standard format (e.g. credit card number or SWIFT code) and country-specific data (e.g. Canadian social insurance number, French
passport number, Irish International Bank Account Number, New Zealand national health index number or UK driver’s licence number).
Other policy templates are more generic and designed for different use cases, such as protecting certain types of sensitive data
(e.g. content classified ‘top secret’, information pertaining to oil drilling or software design documents). Tools may also include
policy templates for detecting acceptable use transgressions (e.g. indecent images, profanities or racism) and employee discontent
(e.g. distribution of a curriculum vitae).
Predefined policy templates should be customised to meet an organisation’s specific needs, providing a quick and easy starting point
for deploying DLP tools.
It is common for organisations to use DLP to detect and prevent the leakage of their mission-critical information assets
(i.e. information assets of greatest value and would cause a major business impact if compromised). Refer to the ISF implementation
guide Protecting the Crown Jewels for further guidance on approaches to securing mission-critical information assets.
DLP tools protect sensitive data held in a readable digital format. To protect sensitive information in physical and spoken formats, DLP
tools need to be complemented by other security controls, such as procedures for the proper handling and disposal of information.
DLP tools typically incorporate different techniques to detect sensitive data (referred to as ‘content’). They are well-suited to
finding explicit keywords or alphanumeric patterns within data but can fail when data is complex (e.g. scientific data sets) or
purposely obscured (e.g. Zip files that can be compressed, encrypted and password-protected). Detection techniques commonly
provided in DLP tools include:
Described content Matches content using regular expressions, defined strings, keywords, patterns or dictionaries (a list of specific
matching terms, keywords or key phrases). Instances of described content include credit card numbers, social security
numbers, and files containing certain metadata such as a classification (e.g. confidential or secret).
Fingerprinting Takes a cryptographic hash of a sample file or file contents to create a ‘fingerprint’. Content is then checked against
(Indexing) the fingerprint for complete or partial matches (i.e. to detect either the complete text or excerpts that match the
sample document). This technique can be effective for both structured and unstructured data but requires the ‘data
sources’ (e.g. documents and files) to first be identified and prepared.
Machine learning Uses algorithms and statistical techniques to determine if content is similar to example documents, which are
(Statistical analysis) provided for the DLP tool to learn from as representative of the type of data to protect. Common use cases for this
technique include source code, software design documents and other data that is not practical to fingerprint or
difficult to describe with accuracy.
Optical character Analyses image files (e.g. screenshots or scanned documents) and extracts text to find matches for sensitive content.
recognition
(Image recognition)
For global organisations, consideration should be given to how a DLP policy applies across multiple jurisdictions (e.g. using an alphanumeric
pattern to detect sensitive data in one jurisdiction may cause benign information to be flagged as a policy violation elsewhere).
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The findings depicted in Figure 4 show that most organisations focus on email because it is perceived to be one of their primary
channels of data leakage and the easiest to protect using a DLP tool. New and emerging channels (for example mobile devices
containing high-resolution cameras) are relatively poorly covered, illustrating potential gaps in channel coverage.
Refer to the ISF briefing paper Managing the Insider Threat for further details about the three types of risky insider behaviour.
DLP tools should be not be treated as a long-term remedy for insecure business processes.
Types of action
A DLP tool can respond to a policy violation in one of three ways: log, notify or block (referred to as ‘modes’). Each mode should
be enabled sequentially to ensure DLP policies are enforced appropriately and do not disrupt business operations.
“Start with monitoring/detecting before implementing any protective controls.” – ISF Member
In log mode (also known as monitoring), policy violations are recorded in log files, allowing for analysis and investigation.
The individual responsible for the policy violation is not notified.
Once a policy rule has been fine-tuned and is delivering the required results, notifications can be introduced to advise individuals
that they violated a DLP policy. To compel a change in user behaviour, a copy of the message may be sent to the individual’s
manager. Types of notification include:
‒‒ sending an email to notify the user that their behaviour breached corporate policy but still permit the activity with guidance on
approved handling of data
‒‒ presenting a pop-up warning with an option for the user to cancel the data transfer.
Blocking is the third type of action that can be applied in response to a policy violation (e.g. email containing credit card data,
external file-sharing of source code or instant messaging of medical details). It can be divided into three categories: hard block,
soft block and other actions to remediate incorrect handling of data, as shown in the box below.
Blocking
Hard block, for example: Soft block, for example: Other actions to remediate incorrect
‒‒ block transfer of email message or file ‒‒ move file to another location handling of data, for example:
‒‒ disable download, copy or print options ‒‒ quarantine email message pending ‒‒ add visual tag
‒‒ delete attachment or file. business justification for release ‒‒ change access controls to restrict access
‒‒ redact sensitive data in web post or to the file
email and allow transfer. ‒‒ encrypt file or message.
Figure 6 shows the common actions taken by DLP tools, which surveyed ISF Members apply to data in motion, in use and at rest.
These three states of data are explained on the following page.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Data in motion Data that is traversing a network, DLP tools can monitor network traffic through network sniffing and deep content
such as the internet or a private inspection to identify sensitive data travelling via a variety of means including email,
network (e.g. local area network). file transfer and HTTP (web).
Data in use Data that is being processed on DLP tools can provide visibility of how users interact with data on endpoints by
endpoint devices. installing DLP agents on target devices. The scope of activity monitored can vary
between DLP tools but may include copy and paste between applications, print
functions and download to portable storage devices (e.g. USB).
Data at rest Data in storage, such as in file DLP tools can inspect storage repositories and systems (indexing, opening, reading
systems, servers, databases, the and analysing files) to detect files that contain sensitive content. Scans may be set to
cloud and endpoint devices (e.g. occur in real time, at regular intervals or on demand (e.g. ahead of a security audit).
laptops and desktops). Scanning may be performed remotely or by agents installed locally.
The technical architecture for the deployment of DLP tools needs to be carefully designed to integrate with existing infrastructure.
A typical DLP architecture consists of four main architectural components as illustrated in Figure 7.
The central management console provides a single interface to author, implement and manage DLP policies across all data leakage
channels covered by a DLP programme. The console also consolidates logging, reporting, review of policy violations, incident
remediation and system administration.
“Business side activity: 75%; IT implementation (including testing): 25%.” – ISF Member
The network component often involves passive monitoring of network traffic, lacking the ability to intervene with user activities.
To apply preventative capabilities (e.g. blocking), data needs to be passed to DLP tools for analysis and handling, which can
be achieved by deploying software agents (e.g. on endpoints) or by integrating with web proxies, email services and storage
repositories. Increasingly, DLP tools include the capacity to extend DLP policies to cloud services by integrating with a cloud access
security broker (CASB) or cloud-delivered web gateway.
It does not take much effort to leak data but the business impact can be severe. Depending on the data leaked and extent of
exposure, potential consequences include regulatory penalties, negative publicity, loss of competitive advantage, brand damage,
erosion of customer trust and disruption to business activities, all of which can result in an organisation suffering financial losses.
DLP can help to mitigate the potential costs associated with sensitive data leaking. Securing data from unauthorised disclosure
can also set an organisation apart in terms of their information security maturity, especially if DLP is mandated as a requirement
by prospective clients or business partners.
DLP enables organisations to detect what data is leaking and demonstrably reduce
incidents of data leakage by blocking or otherwise restricting activities that put data 77% of surveyed ISF Members
at risk, whether initiated by the user or system generated. Additional benefits can implement DLP to reduce the
frequency or magnitude of accidental
also be derived from DLP, which include:
data leakage; almost the same
‒‒ supporting compliance with global, regional, country and industry-specific implement DLP to mitigate malicious
regulatory requirements data leakage (76%).
‒‒ gaining visibility of the usage and movement of sensitive data
‒‒ improving the security awareness and behaviour of users
‒‒ detecting the exfiltration of data by external hackers.
Implementation of DLP can help to identify signs of hacker activity on a network by detecting suspicious attempts to exfiltrate data via
channels that are monitored by DLP tools.
DLP LIMITATIONS
While DLP offers many benefits, it does have limitations that organisations will need to manage. In today’s world, the explosion of
information has created much more data to protect, which can leak through more channels than ever before due to technological
advances and new working trends.
The challenges of preventing data leakage cannot be solved by DLP tools alone due to gaps in their coverage and capabilities.
DLP tools are unable to:
‒‒ detect all content containing sensitive data “DLP isn't something you switch on and everything
‒‒ monitor all channels of data leakage is protected.” – ISF Member
‒‒ act to prevent every occurrence of data leakage.
ISF Members identified the following aspects of DLP that can diminish the business value of a DLP deployment.
Data is dispersed
Data is scattered across different environments – it is often replicated in various storage repositories and platforms (including
cloud services and geographically distributed data centres), constantly transferred out of an organisation and accessible from
personal devices or networks that may not be controlled by an organisation. This wide dispersal of data affects how it can be
scanned and protected by DLP tools.
Traditional DLP tools are designed to prevent the leakage of data already within the control of the organisation. While DLP
technology is evolving to extend coverage to mobile devices, the cloud environment and beyond, there will still be gaps where
data remains beyond the reach of DLP tools and can leak.
50% of Benchmark respondents do not review policy violations to help minimise false negatives and false positives.
Blocking can interfere with user workflow and cause a degradation in productivity. However, to leave DLP tools running purely in
log or notify mode can reduce the value of deploying DLP, unless the main objective is to gain visibility into data usage and report
policy violations. By carefully tuning DLP policy rules with business input, organisations can ensure blocking does not disable
operations or impede business processes.
Significant effort and resources need to be dedicated to the planning and preparation of a DLP deployment, the success of which
relies substantially on effective business engagement. A DLP programme should account for the organisational and human
factors of DLP, as well as apply robust processes for securing sensitive data. It should be supported by DLP tools but not take as
its starting point or primary component the selection and implementation of DLP tools. Section 3 defines the key attributes of a
successful DLP programme.
– Assign roles and responsibilities – Select DLP tools – Determine how to respond
to policy violations
– Integrate DLP tools into existing
environment – Deploy DLP incrementally
Effective implementation of a DLP programme is not as simple as ticking a list of check boxes. To position a DLP programme for
long-term success, significant effort should be dedicated to effective governance and preparatory activities for implementation,
which include – but are not limited to – deployment of DLP tools.
“You may (likely will) find that your programme will succeed or fail based on the buy-in
that you get from your business partners.” – ISF Member
DLP inherently involves monitoring employees’ communications and online activities, and by extension third party messages, which
raises legal concerns that need to be carefully considered prior to deploying DLP tools. There are a variety of laws relating to privacy,
data protection, employment, interception of data and telecommunications that apply to monitoring and data processing in the
context of DLP.
The extent to which these laws constrict the scope and coverage of a DLP programme, or otherwise mandate specific measures, will
depend on the given legal system (e.g. in some countries, such as Germany and Austria, deployment of DLP technology may require
agreement with a ‘works council’). For global organisations, the legal complexity can prove particularly acute given the requirement to
plan and execute a DLP programme that takes account of variances in local laws across multiple jurisdictions. Legal advice should be
sought to ensure implementation of a DLP programme adheres to all applicable laws.
A DLP programme does not address all aspects of protecting data but instead concentrates on implementing the relevant tools,
procedures and processes for preventing specific sensitive data from leaving an organisation. A DLP programme should therefore
be approached as just one element of an organisation’s data protection strategy.
This section is not intended as an implementation guide or an end-to-end process map for installing DLP. Rather, it reflects good
practice within the ISF Membership and the areas on which to place focus to fully derive the benefits of a DLP programme. Each key
attribute is explained on the following pages in the order that a DLP programme would typically follow.
Implementation of a DLP programme is a multi-phase undertaking that does not end with the installation of DLP tools or creation
of DLP policies. To realise the value of a DLP programme and optimise its performance, organisations need to continually
maintain, review and refine their DLP programme.
“DLP requires scheduled review and assessment to ensure relevance and to comply
with the latest technology trends.” – ISF Member
Surveyed ISF Members recommended establishing a steering committee to provide strategic direction, advise on business issues, set
risk reduction priorities and monitor the progress of DLP against agreed objectives. A steering committee should include representatives
from key departments, such as information security, IT, legal, human resources, compliance, privacy and risk management. An executive
sponsor should be appointed as early as possible to champion DLP and ensure it is a success.
Executive management should contribute to the organisation’s information risk assessments and therefore be involved in
identifying DLP as an appropriate risk treatment action. This way, DLP is deployed as a business initiative endorsed by executive
management from the outset, providing an important mandate for business stakeholders to dedicate time and resources to
developing a successful DLP programme.
Other factors that can influence the scope of a DLP programme include speed of risk reduction, costs, resourcing and timescales.
Organisations should also consider which supporting technologies and compensating controls to include within scope because
they either optimise the performance of DLP tools or protect data leakage channels that are not adequately covered by DLP tools.
The roles and responsibilities of those involved in a DLP programme need to be clearly defined, particularly since implementation
requires the input of representatives from various business functions (e.g. business operations, IT, information security, legal and
HR). Of ISF Members surveyed, those with a cross-functional DLP team were more likely to achieve their programme’s objectives and
deliver return on investment than Members who appointed either IT or information security to be primarily responsible for DLP.
To prevent misuse of DLP, duties should be segregated so the technical maintenance of DLP tools, the management of DLP policies
(i.e. author, update and delete) and review of policy violations cannot be carried out by the same individual or function.
An ISF Member reported that to bolster collaboration they had co-opted business representatives into their DLP team for a specified
period to gain the institutional knowledge of the business. Another approach was to nominate business representatives (e.g. data
owners) to provide direct support with the triage of DLP policy violations.
Regular engagement with business representatives from across the organisaion is necessary to assist with both the configuration
of DLP policies and review of the policy violations generated. Short of business input, a DLP tool cannot be properly tuned to
protect what is important to the business. Equally, the authorised use of data may not be apparent to those outside a given
business function (e.g. whether or not an email to an external party concerning a business transaction should be blocked).
“When you ‘sell’ the DLP service to business, make sure you explain that this is just one control...
make sure they understand where their information is still vulnerable.” – ISF Member
By monitoring how data is transmitted, used and stored, DLP tools can provide insight into how an organisation works and expose
insecure habits that need to be addressed. In turn, DLP tools can be configured to send an email or display pop-up notifications to
coach users on how to handle data appropriately with options for immediate self-remediation. This real-time feedback can result
in a considerable drop in risky behaviour as users change the way they act and think about handling data.
Awareness activities tailored to DLP should be initiated ahead of deploying DLP tools to inform individuals what they can expect
from a DLP programme and avoid undue surprises. It should address the value of data, why DLP is being adopted and its business
benefits. This communication to the business will help foster a positive perception of DLP and prepare employees for actions that
block or otherwise intervene with user activity.
ISF members reported a drastic reduction in DLP policy violations in Eliminating the noise attributable to poor security awareness allows
areas where the level of security awareness was raised, whether due other policy violations to be investigated in more depth and is a useful
to notifications, blocking or a security awareness campaign. metric by which to demonstrate the value of DLP.
Deploying DLP may require a culture shift within an organisation to There is the potential for employees to become careless and
create a corporate environment, where security is regarded as a complacent in their handling of data under the false assumption
priority. Just as DLP can improve security awareness via educational that DLP tools or other technology is able to detect and correct all
pop-up messages, a security conscious culture will benefit DLP user mistakes. This is why training needs to be refreshed at regular
implementation. intervals.
The initial response to a policy violation typically involves verifying its validity, the context and severity. This triage process may be
performed by a small, centralised team dedicated to the task or by nominated individuals from relevant business functions, with
the option to escalate to appropriate personnel – such as HR, legal or compliance – for further investigation. If a policy violation
proves to be an actual incident of data leakage, it should be integrated into wider security incident management processes.
Some ISF Members use a playbook to record their DLP policies, documenting how they are configured, who the data owners are and
how to respond to different types of policy violations (e.g. send an automated email to the user involved with guidance on the secure
handling of data, notify the user’s manager or impose restrictions on the user pending further investigation).
“Determining a process flow for incident remediation early in the project is crucial as these incidents
can escalate into huge amounts of data, which will make fine-tuning policies a little
more challenging and time consuming.” – ISF Member
“Obtain proof through a small deployment and then expand the deployment.” – ISF Member
An implementation pilot, which is limited to a representative group of users, a business unit or a region, should precede wider
deployment. This pilot will often focus on just one type of sensitive data and target a single data leakage channel, such as email.
Deployment of DLP should start small with one or two policies relating to a single ‘use case’ to ensure proper configuration and
effective performance of DLP tools. Additional DLP policies can then be introduced gradually.
Organisations should design a phased implementation plan for expanding their DLP programme, which takes account of:
‒‒ adding DLP policies to broaden the types of sensitive data protected
‒‒ improving the way existing channels are monitored
‒‒ extending DLP to monitor new channels of data leakage
‒‒ moving from logging policy violations to notify and block actions.
DLP policy rules should first be run in log-only mode (also known as monitor-only mode) to review the alerts generated and
effectiveness of the policy. This allows time to fine-tune each policy to improve its accuracy and determine its potential business
impact before enabling blocking or other response actions. Business input during the log phase is vital – it helps to minimise false
positives, highlight business requirements and reveal business activities that the DLP policy may disrupt once response actions
are applied.
When blocking is enabled, there should be a process for efficient recovery of quarantined or blocked information that is time-sensitive
(e.g. relates to an urgent business transaction), otherwise the IT helpdesk (or equivalent) may receive constant requests for the
release of data. This may be achieved by displaying an on-screen notification, allowing users to select from an agreed list of business
justifications for the transfer of data.
For many ISF Members, the ability to confidently turn on blocking is itself a measure of a DLP tool’s success. It provides assurance
that certain data cannot leave an organisation via a given channel without relying on scanning and analysis of policy violations to
detect data leaking.
As data breaches continue to hit media headlines with costly consequences, organisations are realising the importance of taking
a systematic, structured approach to detect and prevent the leakage of sensitive data. DLP technology has existed for some time
but has experienced a resurgence in recent years. ISF Members reported that they are now achieving success with DLP technology
when it is deployed as part of a dedicated DLP programme.
DLP tools alone cannot prevent the leakage of all types of sensitive data across every possible channel. DLP capabilities are now
extending to the cloud, mobile devices and other emerging technologies, but blind spots will inevitably remain and obscure the
occurrence of data leaks.
Ultimately, the value of DLP is to block suspected leaks and stop sensitive data from leaving an organisation, whether via file
uploads, copy and paste, printing, social media posts or email. Failure to block will limit the value of DLP to simply detecting –
rather than preventing – the leakage of data. A balance must be struck, however, between blocking risky activities and impeding
legitimate business operations.
A prerequisite of a successful DLP programme is support from executive management and ongoing collaboration with business
representatives. By implementing a comprehensive DLP programme that encompasses awareness training, tools, supporting
technologies and other security controls, organisations can compensate for weaknesses in DLP technology and proactively
manage the risk.
WHERE NEXT?
The ISF encourages collaboration on its research and tools. ISF Members are invited to join
the Process community on ISF Live to share experiences and discuss practical approaches
for implementing a successful DLP programme.
CONTACT
For further information contact:
Steve Durbin, Managing Director
US: +1 (347) 767 6772
UK: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
steve.durbin@securityforum.org
securityforum.org
PUBLISHED BY
Information Security Forum Limited
+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
AUTHOR
Emma Bickerstaffe
DESIGN
Kim Whyte
WARNING
This document is confidential and is intended for the attention of and use by either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of
the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information
Security Forum and the Information Security Forum Limited accept no responsibility for any problems or
incidents arising from its use.
CLASSIFICATION
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
REFERENCE: ISF 18 07 01 ©2018 Information Security Forum Limited. All rights reserved.