Blog

The Ultimate Manual to Data Loss Prevention Best Practices

Marie ProkopetsMarie Prokopets,Co-founder of Nira

Every organization in the modern era needs to prioritize data loss prevention. Following data loss prevention best practices will help ensure that your valuable data isn’t deleted or accessed by the wrong party.

Follow the tips in this guide for a comprehensive strategy to implement data loss prevention best practices.

What Are Data Loss Prevention Best Practices Anyway?

Before we dive into the best practices and strategies, it’s important for you to have a firm grasp on data loss prevention (DLP) as a whole.

Data loss prevention can be defined as a strategy or process that detects file breaches. The system is designed to monitor, detect, and block sensitive data in three distinct scenarios:

  • Endpoint actions — While the data is in use
  • Network traffic — While the data is in motion
  • Data storage — While the data is at rest

In short, data loss prevention strategies encompass every aspect of your sensitive data. From cloud and on-premises storage to data transmission and usage, it covers everything.

According to a 2021 report from IBM, the average cost of a single data breach worldwide is $4.24 million.

This average jumps to $9.05 million when looking at the United States alone. That’s why it’s so important to take data loss prevention best practices seriously.

Anything could be considered sensitive data. It all depends on your business type and industry. You’d need to protect everything from a customer list of names, phone numbers, and addresses to things like financial records or the secret formula to your new shampoo.

Data loss prevention best practices not only protect your company and customers but also keeps your organization compliant with certain regional or industry data security standards.

How Data Loss Prevention Best Practices Work

It’s common to associate data loss with hackers and cyber threats. But cybersecurity typically focuses on external threats like malware or phishing scams. This is just one aspect of protecting sensitive data.

Cybersecurity alone doesn’t account for employee negligence or insider threats, which accounts for a significant portion of data breaches. Data loss prevention best practices are designed to fill this gap.

The unique aspect of DLP best practices is that they can be tailored or customized to meet the needs of any business, industry, or compliance need. DLP best practices work for HIPAA, CCPA, PCI DSS, GDPR, and more.

It’s also worth noting that data loss prevention is synonymous with “data leakage prevention.” While the two terms can be used interchangeably, most DLP solutions on the market today use “data loss prevention” as the industry standard.

Let’s take a closer look at the basic scope you need to define for a data loss prevention strategy:

  • What data needs protection — Figure out exactly what data is sensitive and needs to be included in your strategy. This could range from trade secrets to blueprints, credit card data, and personally identifiable information. If your business is subject to any industry or regional compliance laws, those regulations must be accounted for here.
  • Locate the data — Where exactly does that data reside? Consider things like databases, cloud storage solutions, email, internal messaging apps, and more. If your staff can use personal devices to access your IT environment, you’ll need to use endpoint protection solutions to effectively apply these best practices.
  • Conditions for accessing data — Establish access controls for different types of data. For example, you could restrict certain types of data based on job title. Alternatively, you could have custom data access permissions for each individual employee.
  • Procedures for breaches — What happens when suspicious activity is detected? Who is responsible for taking these actions. You need to establish clear steps for this process, and automating this procedure is definitely a data loss prevention best practice.
  • Archiving data — Your DLP strategy should also encompass specific rules for when data gets archived. This should include an audit trail and all information about potential IT security breaches. Once archived, your system must also be protected from both internal and external threats.

Now let’s look at a simple scenario that puts these best practices to work. If you have a DLP solution in place, the process could look something like this:

  1. An employee tries to send sensitive data through an email.
  2. A rule defined in your system identifies the incident and blocks the email from being sent.
  3. The DLP solution creates a report of the incident, including the type of data that was accessed and who accessed it, before sending the report to an IT security admin.

Here are three unique examples of data loss prevention best practices applied. Each one covers a different data scenario—data in use, data in motion, and data at rest.

Example 1: HIPAA Compliance in the Healthcare Industry

According to the same IBM report we referenced earlier, the healthcare industry experienced the most costly data breaches of any industry—with an average of $9.23 million per breach.

Whether it’s at a hospital, medical center, doctor’s office, or any other healthcare facility, sensitive data is constantly being used.

For example, a nurse needs to access patient health data before providing treatment. A receptionist in an outpatient surgery office would need to access patient records to set up appointments, handle scheduling, and provide the appropriate post-operative instructions.

In these scenarios, endpoint protection solutions would be used for data loss prevention.

Software on the market can be applied to laptops, desktops, mobile phones, and other endpoints where sensitive data is being accessed on a daily basis. This helps prevent unauthorized use and transmission of patient data, which would violate HIPAA regulations.

Example 2: PCI Compliance For Credit Card Processing

Credit card processing is an excellent example of data in motion.

Each time a credit card transaction occurs, there are multiple parties associated with the sale. There are also several key pieces of data to protect, including the card number, verification code, expiration date, and cardholder information.

The transaction data is sent from the merchant to the processor. From there, the processor routes the transactional data from the acquiring bank to the issuer. It’s the issuing bank’s job to verify the available funds and either approve or deny the transaction.

That approval is sent back through the flow, from the issuing bank to the acquiring bank, to the processor, and back to the merchant.

This sensitive data changes hands multiple times in a matter of seconds. To protect this data while it’s in motion, merchants and processors must apply PCI compliance standards.

Example 3: GDPR Compliance in the EU

The General Data Protection Regulation (GDPR) was enacted in 2016. This law governs the way consumer data and privacy must be protected in the European Union.

According to the GDPR, there are two tiers of fines associated with non-compliance:

  • Less severe infringements — Fines up to €10 million or 2% of global annual revenue
  • Serious infringements — Fines up to €20 million or 4% of global annual revenue

Here’s an example that showcases data loss prevention for data at rest (data storage). The GDPR mandates that sensitive customer data cannot be stored with any unique identifiers. Things like customer names, phone numbers, addresses, and driver’s license numbers all fall into this category.

So organizations storing this data can use anonymization or pseudonymization to remove or modify any personally identifiable information associated with an individual. These practices work whether the data is being stored on-site or in the cloud.

How to Get Started With Data Loss Prevention Best Practices

Now that you understand the core concepts of data loss prevention and how it works, it’s time to put these best practices into place. The tactical steps below will put you on track to get started with a DLP strategy:

Step 1: Identify and Classify Your Most Sensitive Data

You can’t effectively apply data loss prevention best practices without first knowing what data needs to be protected. The best way to do this is by conducting an inventory and assessment of your entire organization’s data.

Depending on the size of your operation, this process can be a bit extensive.

Once you identify the data itself, then you need to determine whether or not it’s sensitive. This is the data that needs to be prioritized. Things like confidential info, intellectual property, consumer information, and financial data all fall into this category.

After classifying the data, you need to identify where the data is stored. Is it in a cloud database or physical server? How can it be accessed?

You should also assign a risk score to the data based on how sensitive it is. For example, data about employee benefits is sensitive. But losing that data carries a different risk level than a breach of 10,000 patient medical records.

Step 2: Research Data Loss Prevention Solutions

Start by evaluating your internal resources. This would likely begin with your IT security team.

From there, see if you have any existing solutions in place that can accommodate your needs for data loss prevention. There are solutions for specific components of data loss prevention, like endpoint security, and there are all-in-one systems for:

  • Network DLP
  • Storage DLP
  • Cloud DLP
  • Endpoint DLP

Whether you’re using a single solution or multiple tools, you want to make sure everything is covered. This includes file servers, databases, cloud apps, email, web apps, virtual desktops, and more.

Industry regulations and other laws must be taken into consideration here. For example, the requirements for CCPA (California Consumer Privacy Act) are very different from HIPAA (Health Insurance Portability and Accountability Act).

Some data loss prevention solutions are industry-specific for things like PCI, GDPR, and HIPAA. Others are just general tools and don’t necessarily work well for these types of requirements.

A solution for PCI DSS for a global ecommerce operation will be very different from an endpoint DLP solution in the healthcare field.

Step 3: Establish Controls For Data Handling and Remediation

Now that your data has been classified and you have a firm grasp of solutions on the market for your needs, it’s time to create the policies for handling different data categories.

Customer databases should be classified separately from intellectual property data. Each of these should have unique controls for how the data is stored, accessed, and protected.

To administer your DLP policies, you’ll need to use the solution that best fits your needs, based on the previous step. But the way those policies will be applied will vary depending on the situation.

For example, let’s say an employee is about to send a file that’s been classified as sensitive to an external source. You could have a control in place that prompts a pop-up message, asking the employee to encrypt the file before sending it. Alternatively, you could block the message entirely and notify an IT security admin.

The response for each unique situation will ultimately be based on the controls you establish in this step.

Step 4: Roll Out Your DLP System in Stages

Applying data loss prevention best practices at scale is a long-term process. So rather than trying to do everything at the same time, it’s in your best interest to roll it out in stages.

The easiest way to do this is by prioritizing your most sensitive data. This should be fairly simple once you’ve classified everything in the first step.

From there, focus on just one system, database, or communication channel. For example, you could start by protecting your cloud stage databases. Next, you could roll out a data loss prevention strategy on endpoint devices.

All of this will be based on the type of data, where it’s located, and the data’s risk score.

Step 5: Educate Employees and Stakeholders

Data loss prevention isn’t just an IT or security initiative. It’s imperative that your entire organization understands these policies and why they’re so important.

Your staff and stakeholders need to be made aware of the security policies in place.

Consider in-person training, seminars, online training, and other initiatives that prioritize employee education. You can also send out periodic emails showcasing the importance of data security, like a recent story related to a breach in your industry.

You could also potentially impose penalties for violations of your policy. Repercussions help ensure that your staff takes data loss prevention very seriously.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira