Data loss prevention (i.e. preventing loss, leakage and exfiltration of confidential data) is not just a technical matter – it is equally important to involve employees, as the DLP measures will not work without them. These approaches are promising.
Text: Andreas Heer, 18 june 2019, updated on 21.07.2021
It happens fast: the email sender is in a hurry, selects the wrong recipient and, before they know it, a confidential product presentation has been revealed to the outside world. Or commercial data is stored in a private online storage space – and stolen shortly afterwards during a break-in. Worse still, an employee may disclose confidential information intentionally.
As these examples show, protecting confidential company data is both complex and important. As the name suggests, data loss prevention (DLP) – also referred to as data leakage prevention – describes all measures intended to prevent unwanted loss, leakage or exfiltration of company information. Compliance requirements imposed by data protection legislation and regulations play an important role here, as breaches can lead to heavy fines. But the company’s reputation is equally important, since it helps to generate trust among customers. ‘Customers rightly expect companies to treat the data entrusted to them in a confidential manner,’ says Raffael Peluso, Head of Product Management Cybersecurity at Swisscom. A data breach can thus also result in the business losing customers.
At the same time, data is becoming increasingly important for companies as a result of digitalisation. Intellectual property stored digitally must be kept hidden from outsiders, as must a product roadmap that could give a rival a competitive advantage. Again, DLP measures are required.
The examples described above, with the wrong email recipient and private online storage, show that DLP must include a combination of technical measures, processes and employee awareness. Although it may have been technically possible to prevent dispatch of the product presentation, employees trained in handling confidential data would know that they should not send confidential files by email or use a personal cloud storage service to store them.
IBM’s Cost of a Data Breach study shows the importance of raising awareness alongside technical measures; about a quarter of all data theft worldwide in 2020 is said to have been made possible by human error. When trained employees apply their knowledge in their daily work, the error rate is minimised. In other words: awareness equals protection.
There are various ways to train employees, some easier than others. ‘I have found e-learning, such as instructional videos with test questions at the end, to be a good method,’ says Peluso. ‘The training should be accompanied by other information campaigns; for example, on the intranet.’
Preventive awareness activities such as these help to promote understanding of how to handle confidential data – and also of the necessary guidelines, processes and technical protective measures.
But you cannot guarantee complete security. If an employee has criminal tendencies, they will find a way to get around the protective measures. Raffael Peluso, too, does not have any illusions about this: ‘Like any security measure, data loss prevention is a trade-off between effort and residual risk.’
He believes that the success of data loss prevention depends on how it is implemented: ‘The measures must not interfere with day-to-day operations. Otherwise, employees will be reluctant to accept DLP and will find creative ways to bypass it.’
More on the topic