The Ultimate Manual to Email Data Loss Prevention

Although businesses face a number of different threats to the integrity of their data, one of the most dangerous threats comes from the use of email. Employees use email so often and for so many tasks, including file sharing, that they may become complacent to the security measures they should follow.

Deploying an email data loss prevention system can help organizations fight back against this threat to the security of sensitive data.

What Is Email Data Loss Prevention Anyway?

An email data loss prevention (DLP) system will monitor a company’s email system for the usage of sensitive data. The system actively and automatically scans the network. The system attempts to ensure that employees are properly protecting and using the data, in accordance with the organization’s email and data security policies.

Having an email DLP system in place can protect the business from a few different threats related to using data in email messages, including:

  • Malicious threats from those inside the organization who send stolen data via email
  • Hackers stealing data from an email message on the network
  • Messages with sensitive data sent to the wrong person
  • Files with sensitive data attached to the wrong email message
  • Employee not realizing a file contains sensitive data and sending it via email

Understanding What Qualifies As Sensitive Data

Sensitive data is any information that a company uses as a regular part of its work, but that other people and third parties should not see.

Non-authorized people and parties who gain access to an organization’s sensitive data could use it to exploit the organization, steal the organization’s intellectual property, or learn private information about a customer or client.

Governmental entities enact regulations and laws designed to force companies to take steps to protect this data when it belongs to another person or party. Allowing regulated sensitive data to fall into the wrong hands during a data breach could lead to financial penalties.

Some types of sensitive data include:

  • Personally identifiable information, such as Social Security numbers and driver’s license numbers
  • Customer passwords and usernames
  • Protected health information (PHI), including health status information and genetic data
  • Educational records
  • Credit card information and account payment information
  • Financial institution account information
  • Information used as part of generating a credit report

How Email Data Loss Prevention Works

If an average employee sends around a dozen emails per business day, that’s equal to about 250 emails per month. Multiply that by 100 employees, and it’s easy to see the huge volume of email messages an organization generates that could be carrying sensitive data.

With an email DLP system in place, it will attempt to watch all incoming and outgoing email messages for the use of sensitive data. The primary functions an email data loss prevention system will perform include:

  • Actively monitoring incoming email messages
  • Actively monitoring outgoing email messages
  • Flagging email messages with unusual usage of sensitive
  • data
    Blocking email messages with unusual usage of sensitive data
  • Deleting email messages with clear violations of the DLPs system’s policies regarding usage of sensitive data

When deploying email DLP software, an organization is able to save money versus having system administrators manually monitor the system. The email DLP system will automatically perform many of the required functions. It will generate alerts as needed for system administrators.

The automation allows the organization to spend its security budget in areas where it receives the best return on the dollar.

Here are a couple of specific examples of how companies may make use of an email data loss prevention system.

Example 1: Protecting Sensitive Data From Inbound Threats

A significant threat to businesses and their sensitive data will come from hackers sending emails to employees. These email messages typically originate from fake accounts that attempt to mimic a legitimate email message from a client or customer.

Hackers will set up these fake accounts to generate email messages randomly and automatically. They may send thousands of these messages, but they only need to fool one employee to have success.

With email DLP software up and running, the system can scan for these types of messages, blocking them completely or quarantining them until a system administrator can further examine them. As a further step, system administrators can tell the email DLP software to block all messages from a certain domain.

Two of the most common threats that inbound messages can generate are phishing and spear phishing.


Phishing emails are those that attempt to trick employees to share sensitive data through fake emails. Phishing messages attempt to seem real, giving them a better chance of fooling the employee.

With a phishing email, the hacker may hope that the recipient will click on a link that installs malicious software on the company network or on an employee’s laptop.

Another option is a phishing email that asks the employee to click on a link that jumps to a fake website. The employee then may receive a request to enter sensitive data into a form on this fake website, causing a data loss.

Sometimes, the hacker simply wants the employee to reply to the fake email request and send sensitive data over email that the hacker can exploit.

Email data loss prevention software should scan all incoming messages to look for links that could indicate a phishing scam. Additionally, the DLP software should monitor any email responses from employees, monitoring the messages for sensitive data that should not be in the message.

Spear Phishing

A spear phishing email message is one that targets specific employees, meaning this type of attack uses a bit more sophistication than a general phishing attack.

It may use data that the hacker obtained about the employee in a previous attack. The hacker also may send the fake email from an account that the employee is more likely to trust. By personalizing the data in the malicious email, the hacker hopes that the employee will fall for the attack.

Ultimately, spear phishing attacks seek the same end results as general phishing attacks. They hope the employee will click on a link to a fake website or share sensitive data.

Because spear phishing attacks have a high level of sophistication, using a combination of email DLP software and education for employees about this threat will deliver the best results.

Example 2: Protecting Sensitive Data From Outbound Threats

Another potential threat that could violate a company’s policies regarding the sharing of sensitive data comes from outbound email messages. Typically, a few types of threats exist with outbound email messages.

Accidental Data Violations

With the huge number of outbound emails that businesses generate on a daily basis, mistakes are bound to happen. Mistakes that involve sending sensitive data while violating the company’s DLP rules are potentially disastrous to the company. These mistakes could result in significant fines. They could cause customers and clients to lose faith in the company.

Multiple types of human error can lead to losses of sensitive data through email, including:

  • Messages containing sensitive data sent to the wrong email recipient
  • Accidentally using the Reply All button when sending sensitive data
  • Attaching the wrong file to an email message, where the file contains sensitive data
  • Sending sensitive data through a personal email address, rather than using the company network where email DLP software monitors the messages
  • Failing to understand that the company classifies certain data as sensitive when sending it via email

To work to reduce these types of mistakes and accidental violations of the company’s data loss prevention policies, education is highly important. When employees understand common errors they could make when sending emails, they may be more aware of watching for these errors.

Additionally, system administrators can set up the email DLP software to watch for these types of common errors. The software may be able to learn the habits of certain employees. Then, when a particular employee sends a message to an uncommon email address, the DLP software may flag the message as potentially containing an incorrect recipient.

The email data loss prevention software also can monitor the information in the outgoing messages, looking for sensitive data. When it finds such a message, it can generate an alert and quarantine the message until a system administrator signs off on sending it.

Malicious Data Violations

Some employees or others with access to the company network may purposefully generate outbound email messages with sensitive data included.

Perhaps an employee chooses to try to steal sensitive company data, such as intellectual property, to sell to a competitor. Another threat comes from an employee who is preparing to leave the company and decides to send sensitive customer data to help with a new job.

This insider threat can be tough to catch, especially if the employee is highly familiar with how the system operates. Active email DLP software should be able to catch situations where an employee suddenly begins sending emails with large amounts of sensitive data, as this could indicate a data theft occurring.

Purposeful Data Violations

Finally, employees may steal sensitive data on purpose, even if they don’t intend to harm the company with it.

For example, an employee who wants to work on a presentation at home may email some files to his or her personal email address. If these files contain sensitive data, this is a violation of the company’s policies. The employee likely knows about the policies but chooses to ignore them.

Once this sensitive data leaves the protection of the company network, it becomes vulnerable. The employee likely doesn’t have the same level of system protections in place on a home computer as the company has on its network, leaving the data potentially in peril.

To combat this type of violation, businesses can use a combination of education and email DLP software settings. The DLP software can monitor outgoing messages for unusual recipients, while also scanning messages for attachments with files containing sensitive data.

Further, by educating employees about the danger of using sensitive data outside the company network, the business hopefully can prevent employees from taking this risk.

How to Get Started With Email Data Loss Prevention

To create an email DLP system, an organization will want to begin by using email DLP software and following a few different steps.

Step 1: Selecting Email DLP Software

Companies can select among numerous software packages that can monitor the email network for the use of sensitive data. Email data loss prevention software automates most of the processes for monitoring email messages.

Some email DLP software options run in conjunction with a DLP software package that protects sensitive data across the entire network. Others only monitor incoming and outgoing email messages and attachments.

Many types of email DLP software tools will operate from the cloud, rather than running off a local installation. Others may provide either a cloud-based or an on-premises installation option.

Network administrators will have to determine which of these features will best meet their needs and usage patterns.

Step 2: Creating Email DLP Software Policies

System administrators then need to configure the settings in the email DLP software to reflect the organization’s policies regarding security measures for sensitive data.

If the organization already has a data loss protection system in place for data stored on the network, administrators may be able to simply migrate those policies to the email DLP software.

If the organization has no DLP policies in place, it may want to create an oversight team to create policies and rules to use for data loss protection systems. This type of team should contain a cross-section of people throughout the organization to ensure the final policy receives ideas from all departments.

By including ideas and by taking into account the desires of multiple departments in the company, the level of buy-in from all employees should be high.

Step 3: Setting Up the Email DLP Software

With the DLP policies created, the administrative team then can set up the software to begin using them. Email DLP software should have settings that allow organizations to:

  • Determine what kinds of data to classify as sensitive
  • Tell the DLP software how to handle violations in email messages
  • Generate alerts when the email DLP software measures certain occurrences
  • Automatically block or suspend email accounts that violate the DLP policies
  • Quarantine incoming emails that may contain sensitive data

Most types of email data loss prevention software can generate logs that list any violations. This allows system administrators to review the performance of the DLP system at a convenient time.

Administrators may want to set up the software to only generate alerts when certain types of violations or major violations occur that necessitate an immediate response. They then can review other, minor violations on the logs later.

Step 4: Responding to the Email DLP Software’s Alerts

As part of the overall email data loss prevention policy the company has, it should specifically tell system administrators how to respond to alerts from the software. With instructions in place, administrators cannot decide on their own to ignore alerts, which could lead to data loss.

The organization may find after several days or weeks of using the email data loss prevention software that its original policies and settings are too restrictive. If the system generates too many alerts, system administrators won’t be able to keep up with all of them, creating weaknesses and vulnerabilities.

DLP system overview teams should be ready to make changes and tweaks to the email DLP software as needed to reflect real-world results.

Step 5: Educating Employees and Team Members

Creating an educational package for those who will be sending and receiving emails is another key step to a successful implementation of an email DLP software package.

When employees understand the importance of protecting sensitive data and how they should use this data in email messages, they’ll be more likely to follow the rules willingly.

Without an education system in place, employees may become frustrated when they try to send an email message but receive an alert from the system about a violation. Some employees will generate unnecessary service tickets when they receive violation alerts. Others may try to work around the email DLP software’s rules, placing sensitive data at risk.

The education plan can involve generating documentation about how the email DLP software and system will work. It also could involve classes and meetings that give employees the information they need.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira