By Ben Kast   /   Feb 2nd, 2021

Top 3 Strategic Data Loss Prevention (DLP) Mistakes

Considering how hot a topic Data Loss Prevention (DLP) continues to be in information security, it’s been my experience as a security practitioner that very few organizations have it on lockdown. At the same time, it’s been my experience that many organizations have it toward the top of their security to do lists but struggle to make meaningful headway in accomplishing their DLP goals. Over the last six years I’ve worked with organizations in banking and finance, healthcare, biotech, security and technology and witnessed time and again the same obstacles to achieving these goals across the board. I’ve found the biggest mistakes are in the strategic thought process behind the DLP implementations. Let’s look at these strategic DLP mistakes and what to do instead.

Top 3 Strategic DLP Mistakes

Mistake #1: Thinking in terms of solving the problem with a “product.”Sure, the utilization of DLP software products is needed to produce effective DLP coverage. However, the product focus is the last layer of a multi-layered problem. If you have not focused on the foundational layers – compliance and regulatory requirements, data management risk, data classification and labeling, data ownership, retention and overall data management – no product is going to save the day. If anything, it will open your organization up to increased risk of being fleeced by golden-tongued sales hustlers.

Which brings me to my central argument, for an organization of any stripe to actualize its DLP goals it must think of it as an organizational process. A multi-pronged process at that. This is consistent with the common refrain amongst security practitioners that “DLP is the last layer of defense.” E.g., you have to get a number of other information security ducks in a row before DLP is going to assist in producing greater data security for your organization. The efforts that are going to result in effective DLP processes are in large part primary pillars of a good information security program and culture, something every organization should strive toward.

Mistake #2: Not driving the DLP initiative from the top down while also including — and factoring in input and guidance from — major stakeholders. DLP is not something the geeks in IT and security are going to magically solve on their own. It will require commitments and oversight from across the organization. For example, you’ll need to understand your compliance and regulatory data obligations and requirements, which will require involvement and ownership from legal and compliance team members. A proper understanding of your data management risks is also needed, requiring involvement of risk managers and data owners. If you don’t have a handle on these items, it’s unlikely you’ll have an appropriate data classification policy that appropriately covers your compliance, regulatory and data management obligations and risk profile. Moreover, if those areas aren’t sufficiently covered, it’s highly unlikely your IT and security team members will appropriately place controls on systems and data stores that sufficiently reduce these risks. If these foundational areas of information security haven’t been addressed how are you going to introduce DLP policies, data labeling and meta data meaningfully into your environment? You won’t. More than likely you will move forward paying for underutilized DLP features in products and wonder why your DLP goals continue to stay out of reach. All while stressing out already taxed IT and security team members with unrealistic goals.

Mistake #3: Not being intentional with your data management. You can address the first two obstacles at a superficial level, but if it doesn’t result in an extremely intentional focus on data management and strict adherence to policy and your organization’s risk profile, it’s all for naught. The good news is that the more intentional you get with your data management – whether on premises, or in the cloud– the more effective and mature your DLP AND overall information security program will become. Conversely, if you lack intentionality in data management no matter how much you spend on DLP products, your ability to implement DLP as an effective security process will not succeed. Return to the fundamentals:

  • Ensure your data is accurately classified based on your data classification policy.
  • Ensure that all systems storing private and classified information – whether structured or unstructured — are treated as critical, properly accounted for, and adhere to the strictest role-based access controls, encryption standards, redundancy standards, and logging standards. That is, cover your ass (CYA) with respect to confidentiality, integrity and availability (CIA).

If you are intentional with your data management then your pathway to architecting DLP as an organizational process will be clear.

To conclude, DLP can be viewed as a process result of a strong information security program and culture. There is a lot of truth to the adage that “DLP is the last layer of defense.” To make that layer a possibility, it requires an intimate knowledge and management of organizational data and the systems that retain it. Weaknesses in these areas will perpetuate gaps in DLP coverage. The focus needs to be on data management fundamentals and the DLP processes built on top of that foundation. Don’t be overwhelmed by this, each step toward being a better steward of your organizational data is a win. By doing so, you will not only save money in pursuit of actualizing your DLP goals, but you will mature your entire information security program as you architect and implement an effective DLP process.

Do you need help integrating your DLP goals into your cybersecurity plan? LMG Security offers a broad variety of cyber security services to help address your cybersecurity challenges. Contact us to learn more.

About the Author

Ben Kast

Ben Kast is a Principal Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).