The Ultimate Manual to Data Loss Prevention Methods

For many modern businesses, data is arguably their most valuable commodity. Unfortunately, many companies fail to take the steps necessary to guard their data as stringently as they should.

We’ll introduce the concept of data loss prevention methods and some of the ways businesses can use them to prevent data breaches.

What Are Data Loss Prevention Methods Anyway?

Data loss prevention (DLP) methods are techniques a business or organization employs to protect data. Often, this involves using data loss prevention software in conjunction with the work of network administrators and technicians.

Even though the word “loss” is in the name, these DLP techniques focus on preventing cybercriminals from stealing the data through data breaches. They also work to prevent employees and others on the company network from moving data off the network without authorization.

By deploying DLP methods, organizations will improve the security of their networks. At the same time, network administrators will have the ability to monitor the use of data, ensuring no one has improper access to certain types of data.

One key aspect of data loss prevention systems involves scanning files and data to determine the most sensitive items. The network administrator then can use DLP software to provide extra protection for those items.

How Data Loss Prevention Methods Work

When an organization chooses to deploy a data loss prevention method, it’s primarily seeking to accomplish two things: Identify sensitive data that needs protecting and then protect that data.

If the business’s DLP method does not accomplish these two tasks, it will not operate as efficiently as it should. Many of the best data loss prevention software will handle these two tasks for the organization automatically.

Rather than trying to plug a hole after a cybercriminal exploits a data or security breach, data loss protection methods look to find holes first. Ultimately, DLP methods will try to catch potential problems before threat actors do.

Identifying Data That Needs Protection

By automating the process of identifying sensitive data, the data loss prevention system ensures that no data or documents slip under the radar.

Network administrators can use DLP software to create a set of rules to determine which types of data fit the profile of being sensitive and needing protection. The software can use rules that take into account:

  • Context analysis studies the properties of files on the network to determine whether they need extra protection under the DLP rules.
  • Content awareness studies the actual content of files on the network, attempting to determine whether the file contains sensitive information.

Taking Steps to Protect the Data

Once the rules about protecting the data are in place, it’s time to implement the data loss prevention methods. These methods involve:

  • Monitoring, where the DLP system monitors the network for potential violations of security policies more so than for outright data breaches. DLP methods attempt to catch potential security problems before a cybercriminal can exploit them.
  • Alerts, where the DLP system alerts network administrators about issues it finds during the monitoring phase.
  • Actions, where the DLP methods may automatically deploy security controls or cut off access to the network while the administrators decide what to do. These automatic actions will often be temporary, as network administrators should have the final say on any changes to data security rules for the network.

Here are a few examples of how businesses can use data loss prevention methods to accomplish specific tasks related to protecting data.

Example 1: Identify Sensitive Data

To allow the data loss prevention system to work most efficiently, the business shouldn’t try to protect every file at the same level. Instead, it’s important to determine which files contain sensitive data and need the highest levels of protection.

By giving these files extra protection, cybercriminals will have far less opportunity to find them, gain access to them, and exploit them.

Understand that the files with sensitive data that are receiving this extra level of protection will be more difficult for employees to access and use. Some employees will need to make special requests of network administrators to be able to use the files.

For this reason, network administrators won’t want to just randomly protect all files. Files without sensitive data should remain easily accessible for employees so that they can work efficiently.

How to Determine Files Containing Sensitive Data

Organizations that deploy DLP software can use the software to scan files on the network. Through the scan, the software will look for sensitive data and classify the files accordingly.

Network administrators can create rules for the software to follow regarding sensitive data. Different businesses may have different thresholds for determining sensitive data.

Businesses that must follow HIPAA guidelines may have access to protected health information (PHI) that requires extra protection, for example. Other types of data that may be sensitive include:

  • Social Security numbers
  • Credit card numbers
  • Intellectual property
  • Contact information for customers and vendors
  • Passwords and login data

Example 2: Find and Monitor the Location and Usage of Sensitive Data

With the files containing sensitive data identified, network administrators then need to keep track of them.

These files could exist in a number of locations associated with the business network, including on the local network servers, in cloud storage, or on mobile devices that employees use.

How to Set Up File Usage Rules

As part of the DLP method, network administrators should determine exactly where team members can use these files.

For example, some organizations may not want to allow these files to leave the on-premises server. Others may allow the use of the files anywhere, but they will want DLP software to watch all movement of the files.

How to Use Access Control Lists

Part of deploying a DLP system may involve creating access control lists. These are rules that specify which employees may access specific sensitive files.

To simplify this process, the administrator can create groups of employees, depending on the level of access to sensitive data. With several groups created, the administrator can assign access rules for sensitive data to the group rather than assigning file rights to each user individually.

Only the most trusted employees who must have access to files with sensitive data should receive permission to access these files.

Example 3: Educate Employees About DLP

Network administrators will need to educate employees about how the DLP system should work as part of creating access control lists.

Without an education process, administrators may find that employees become frustrated when they can’t access specific files. This can result in unnecessary support tickets and questions for those running the network.

If they don’t understand why the access control lists are in place, employees may go rogue and try to work around the data protection protocols to access the files they want. If the employees are successful, this could cause a weakness in the DLP system, leading to a potential data breach.

Other times, the employees may not even realize they’re violating security protocols. Once they receive information about how the data loss prevention system works and why it is in place, they frequently will stop the behavior on their own.

Network administrators could hold meetings or education classes to inform employees about the DLP system. They also may create documentation to deliver the information to employees.

How to Add System Prompts

In addition to the educational materials, network administrators could generate system prompts as part of the network. These could create an on-screen alert box when an employee in an unapproved access control list group tries to open a sensitive file.

By seeing the alert, the employee should realize the mistake and stop attempting to access the file independently.

The combination of education and system alerts can significantly reduce risks from insider errors for sensitive data.

Example 4: Set Up a Response Team and Plan

As part of the data loss prevention system, the business should create a DLP response team. Team members can include network administrators or data analysts. The team should respond to issues involving data loss prevention, including alerts that DLP software generates.

Some businesses may want to create a separate team that decides how to implement data loss protection methods. This team can determine the policies the company intends to follow.

The decision-making team should consist of executives inside the company, along with some network administrators. Having a mix of policymakers, company stakeholders, and technically savvy people on this team typically provides the best results.

Hiring a service provider specializing in DLP is a smart idea for small businesses that can’t oversee the DLP methods.

How to Respond to Incidents

The best way to ensure successful results with the DLP method is to investigate all potential issues. DLP system teams certainly don’t want to receive so many potential alerts that they develop alert fatigue. But they also don’t want to miss a potential data breach because they did not take an incident report seriously enough.

Creating an incident response plan that deals with DLP issues is the best option. It should contain all the steps the team should follow after receiving an alert about a potential event involving the business’ data loss protection system.

With a clear plan to follow, those working on the response team don’t have to make individual decisions about handling specific incidents. They simply have to act.

Example 5: Determine Rules for Archiving and Deleting Files

Finally, a vital aspect of any DLP method must include rules for determining how to archive and delete files containing sensitive data.

The data loss prevention strategy should contain information about how the system will track sensitive files that enters the archive. In some scenarios, once a file enters an archived status, it no longer receives the highest level of protection or monitoring. This lack of active monitoring could cause the file to end up in unintended hands, and the system administrators may not even realize it.

The same potential problems could occur with deleted files. Unless the system administrator requires that all deleted files go through extra steps to ensure a complete deletion and shredding of the data, a cybercriminal could recreate the deleted file. If the DLP system stops monitoring or tracking deleted files, the administrators may have no idea when someone attempts to reinstate a deleted file.

Setting up a policy regarding the treatment of deleted and archived files that contain sensitive data can help businesses avoid potential data loss issues.

How to Get Started With Data Loss Prevention Methods

One of the most common ways to begin deploying data loss prevention methods is through the use of DLP software.

Data loss prevention software works proactively. It monitors the network for potential areas where data breaches could occur. It often puts artificial intelligence into use to keep an eye on the actions and performance of the network.

Here are the basic steps required to begin using data loss prevention software. We’ll use McAfee Total Protection as an example when spelling out the steps to use.

Step 1: Activate the DLP Software Account

The majority of data loss prevention software tools run from the cloud. Some also may have an on-premises option.

After signing up for the software, customers can begin using it immediately through the cloud.

With McAfee Total Protection, customers will monitor the settings of the software through the McAfee Security Center.

Step 2: Set Up Automated Scans

DLP software can automatically monitor the system, seeking potential problems that could lead to a data breach.

For a business network, running a constant automated scan frequently will be the best option. These scans can monitor the network for potential malware infections that could create security problems for files.

However, for networks that have performance issues already, a constant scan may cause a slowdown in performance. In instances like this, setting up scheduled scans once a day or once every several hours may be the better choice.

With Total Protection, customers can set up the software to run constant scans or scheduled scans.

As an additional level of real-time automated protection, Total Protection will provide safety ratings of web pages. This warns employees of dangerous websites as they’re preparing to visit them. It will automatically monitor the email system for phishing attacks that could lead to malware infection as well.

Step 3: Set Up Data Protection

The primary function of data loss prevention is to protect the business’ files and data.

In this step, network administrators can set up rules for the DLP software to protect files and documents. Most software packages will protect data stored locally on the network’s servers, data stored in the cloud, data stored on mobile devices connected to the network, and data in transit among these locations.

With McAfee Total Protection, the software can perform these features. Additionally, it will create a secure vault on the network that provides an extra layer of protection for sensitive files.

Step 4: Shred Sensitive Files After Use

When users delete files from the company network, those files may not completely disappear. Instead, they may still be recoverable for those who have the know-how to find and restore them.

If these files contain sensitive data, it’s important to take additional steps to ensure that complete deletion occurs.

Data loss protection software often can take the extra steps to ensure a full deletion. With Total Protection, the software uses its Shredder feature to scramble the bits of data that make up the file to make it unrecoverable.

How to Protect Your Data with Real-time Access Control

Nira is a real-time access control system that provides visibility and management over who has access to company documents in Google Workspace, with more integrations coming soon.

Need help reviewing your current setup or implementing new access controls for the data you already have? Contact us for a demo.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira