A Business Case for Data Loss Prevention – Are you ready for a DLP Solution?

Runa Tripathy   

The explosion of business communications has given many more people access to corporate data. Some of these users can be negligent or malicious. The result: a multitude of insider threats that can expose confidential data with a single click. Many government and industry regulations have made DLP a requirement.

Open any cyber-security forum discussion and you will be flooded with news on Data breaches that organizations are suffering day-in and day-out. It almost seems like Data breaches have become a part of life and unless organizations take technologies like DLP more seriously, they will continue to suffer negatively by the loss and compromise of sensitive information.

Data loss prevention or more commonly DLP is a technology that helps organizations identify, monitor and protect data in use or in motion on the network, as well as data at rest in storage or on desktops, laptops and mobile devices.

DLP Solution is usually implemented by IT for the business with the close association of various business departments. A DLP implementation necessitates strong upper management commitment and as well as support, full involvement of middle management, IT operation and business/data owners of various departments. Having said that, what’s interesting to note is that even today while most organizations are successful at filtering inbound malicious content and ricocheting unauthorized entry attempts, they are lagging with implementing technical solutions that effectively address data breaches.

DLP is one technology where ROI is easily visible for organizations which have a business need to protect Intellectual Property, Patents, Research etc. So, how do you as an Enterprise know whether there is a business need of DLP for your organization?

As organizations recognize the growing risk of data loss and the importance of data protection, DLP solutions become more attractive. Although most organizations express an awareness of DLP capabilities, they struggle to make the business case for the product’s adoption, and achieving project buy-in from executives is a key first step to any security endeavour. Although a DLP project can hold the interest of executives for it’s sheer ability to support regulatory compliance requirements, the difficulty lies in justifying the project’s costs with the benefits, which largely involve mitigating the risks of information loss and a technical means to protect information from leaving the network. Identifying top security drivers as problems addressed by DLP solutions helps increase executive support for a business case.

Key Drivers of DLP

There are innumerable key drivers that can establish the need for the implementation of a DLP solution. Some of the most popular use cases being - the need for compliance, enhanced property protection and improved security awareness and training, among many others. So, let us explore and understand some of these needs.

COMPLIANCE:

Requirements such as the GDPR, HIPPA, GLBA, PCI Data Security requirement, etc are steering in a new era of accountability, in which every regulated organization that collects, stores and uses sensitive customer data needs to meet new standards. Consequences for non-compliance can include fines of up to four percent of annual worldwide turnover, and instructions to cease processing. Technology controls are becoming necessary to achieve compliance in certain areas. DLP provides these controls, as well as policy templates and maps that address specific requirements, automate compliance, and enable the collection and reporting of metrics.

PROPERTY PROTECTION:

Many companies nowadays have innovation and creativity at their core, and it is these intangible assets that allow them to profit and compete in their respective markets. Depending on the sector, intellectual property can mean different things. For tech companies, it can take the form of patents or proprietary source code. For businesses in the entertainment sector, it can be audio or video files.

Intellectual property is often interwoven directly or indirectly with company profit. Taking the previous examples, a pioneering product gives IT developers a competitive edge, whereas the lawful sale of audio and video content or being a trustworthy link in the production chain of that content is how many entertainment companies make their money. The theft or public release of intellectual property can, therefore, be fatal to not only an organization’s bottom line but its continued existence.

Data Loss Preventions (DLP) solutions offer a way for companies to protect the information that is most important to them. And not just the PII they are obligated to protect as part of compliance efforts with data protection regulations, but also intellectual property.

SECURITY AWARENESS AND TRAINING

Once the right tool has been acquired, its implementation and use could assist companies in increasing user awareness of

  • Security Incidents
  • Compliance Requirements
  • IT problems and advancements
  • Legal issues

Apart from these three there are many other objectives that Enterprises gain to achieve with a DLP solution like Data Visibility, avoiding regulatory sanctions, Secure data on remote cloud systems, and more.

While it is important to include the outcomes, you benefit to achieve with a DLP solution, what’s also helpful is going in with the right strategy to get maximum benefit.

A Right DLP strategy Involves:

  • Getting the Management buy-in for the Solution: –

 Justify the requirement of the DLP solution in the organization with the facts, trends, and POC results.

  • Proper planning and strategy are key for a successful DLP implementation for any organization. Some things you can look at during your planning and strategy building are:
  • Involvement of business owners & stakeholders – The right business stakeholders from various departments who understand what information should be restricted
  • Data Flow Analysis – Understanding how data flows between departments and processes both inside and outside
  • Data Classification – Talking to the right stakeholders to understand what data is important and where is it located and who should have access to it
  • Data Discovery - DLP discovery engine uses crawls agents gets deeper into various data stores across the enterprise network to identify and log the sensitive information and their locations and develop fingerprints for further usages in policy

To help justify an implementation of DLP, organizations should consider both the costs/risks and foreseeable benefits along with regulatory and financial benefits. Businesses need to successfully mitigate information risk to be able to thrive and grow to its potential and more. So, it’s imperative for them to choose the right organizational investments and implementing a data loss prevention solution is one of those investments.