Client A implemented DLP blocking early in the project and blocked several key business transactions. They had not defined a process to review and resolve false positives quickly, and once the business users became unhappy it led to the removal of the DLP solution.
Organizations have had a tumultuous relationship with Data Loss Prevention solutions – everybody loves the idea of improved security, but chafe against the inconvenience. In our experience, the main challenge is that DLP implementations start off too aggressively by blocking users from sending data that is necessary for legitimate business transactions. The business wants to work securely, but work is hard enough without having your security solution shut you down completely!
Client B implemented DLP quickly to ‘get operational’ as fast as possible without taking the time to tune the policies in the tool, identify process and security policy issues, or to educate end users. The end result was such a high volume of incidents, that the DLP team was quickly overwhelmed. So much so, that they turned the tool off until they were able to catch up on the incidents. In fact, they went through several cycles of turning the tool on and off. Needless to say, their DLP solution delivered ‘spotty’ results.
To prevent this from happening to your organization, we recommend several best practices below to ‘learn as you go’ and balance your DLP efforts to improve security against the need to minimize the impact to business operations.
Getting Started: 4 Data Loss Prevention Best Practices
- Begin with a DLP Pilot to refine requirements and tune policies.
It’s important to understand how a DLP solution will affect both your IT and business users. DLP solutions can monitor a wide range of threat channels from cloud solutions to endpoints, network and storage. We recommend beginning with a small pilot of 50 or fewer users in a Monitor-only mode and watch the incidents that come in. During this time, you can learn what is triggering a false positive and tune the DLP policies to catch what’s really important and ignore the noise. - Define the Operating Model for the DLP program.
DLP is often seen as a technical implementation; however, DLP is a lot more than just installing the software to monitor and manage sensitive data. Organizations that do not stand up a program and processes will not get the value out of the tool and will likely wind up turning it off in short order. Ideally, your security team will review and respond to incidents. The first question to answer is, Can our existing staff handle the increased incident volume? If the answer is ‘no’, then you’ve identified your first issue!Here are some other questions to consider:
i. Who reviews incidents?
ii. Who remediates incidents?
iii. What is the process to investigate/remediate an incident?
iv. Does the DLP project have an executive sponsor to support adoption and overcome organizational barriers?
- Begin with Monitoring activity and then start Notifying users.
DLP monitoring is a great way to gather information about sensitive data, incidents, and user behaviors without impacting how users work. Think of this as the Learning Stage, where you can identify challenges before they become end user issues. The data collected during the Monitoring stage will allow you to tweak policies, identify potential process issues, and learn which users are ‘frequent flyers’ on the data loss dashboard. Frequent Flyers may have a legitimate business reason to send sensitive data, and this is the opportunity to work with users and their managers to determine who needs to be on the DLP exclusion list.After several weeks (or months) of Monitoring, the next step is Notifying. During the Notify Stage, the end user is informed that they have violated DLP policies and are warned with a pop-up notification; however, they are allowed to continue their activity. This strategy is part of raising awareness and re-enforcing training the end users to handle sensitive data properly. Once the Notifying Stage has been completed and users are trained, then you can start implementing policies that actively protect sensitive data. - Deploy DLP in Phases.
This best practice is especially true for organizations that are working to deploy a DLP solution globally. Data Privacy rules in Europe, Russia, and other countries/regions are much more stringent than in the United States. Organizations with U.S. operations will be able to roll out DLP without too many legal hurdles; however, attempting to deploy DLP across all countries simultaneously would be a nightmare. Deploy DLP in phases and develop a roadmap that starts with countries that have the fewest legal hurdles to implementation.
If you enjoyed this post, share and comment below. Signup for our biweekly Cybersecurity and Identity Management newsletter here, and follow us on LinkedIn or Twitter.
