What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) is a strategy put in place by security organizations that prevents the leaking and potentially malicious exfiltration of secure data. According to the Information Systems Audit and Control Association (ISACA), implementing a robust DLP solution is crucial for detecting and preventing unauthorized data leakage and sharing, thus safeguarding sensitive information.

The organization goes on to say that it’s important to know locations where data exists, along with an indication of the functional areas of where to implement or enhance applicable security and privacy controls.

Types of Data Loss Prevention

  • Endpoint DLP focuses primarily on monitoring network endpoint devices. It enables security teams to specify data that they may consider sensitive and therefore enact policies that bar that particular data from leaving the endpoint.
  • Network DLP zooms out and looks at data traveling over internal and external, cloud-based networks. When putting a network DLP strategy in place, it’s imperative to understand network protocols at a deeper level so as to avoid potential misconfiguration.
  • Cloud DLP monitors data going to and from the cloud, as it is in an especially precarious position for malicious exfiltration, once an attacker has breached a network. A security operations center (SOC) would be wise to automate much of the data leakage discovery as well as reactive DLP protocols to a potential breach.

Why is Data Loss Prevention Important? 

DLP is important for many reasons, not the least of which is the company’s bottom line. Stakeholders and/or shareholders have a vested financial interest in not seeing critical company data stolen and either held for ransom (which will cost a lot of money) or forever affect the reputation of the business (resulting in erosion of customer trust and a lot of money lost over a very short period of time).

Blocking an attacker from breaching a system or network is easier said than done, especially in the age of cloud security and operations. An effective DLP solution solves for two primary types of offenders: internal and external. Malicious actors who are also employees of a business certainly exist, but typically when an internal offender is the source of data leakage, it occurs unknowingly on the part of that source.

These days, pretty much everyone understands that sensitive information is transmitted through the cloud and back again many, many times. That’s just how we live today. More often than not, though, we don’t understand how data is transmitted or otherwise used in the organization.

Additionally, these organizations may be unaware of certain communication or workflow trends that could put an organization at unnecessary risk. For example, a business’ finance department might engage in a workflow whereby they transmit incredibly sensitive data through public communication channels like email or instant messaging.

External offenders typically know exactly what they’re doing: trying to break through the defenses of your company’s security organization and steal sensitive data and – as previously mentioned – hold it for ransom and/or sell it to the highest bidder on the dark web.

For these key reasons, it’s critical a DLP solution is able to detect when and where data is leaving and entering networks and help analysts prioritize protecting data that may be more sensitive than other data.

Causes of Data Leakage

Let's take a look at some of the top reasons data at rest or in transit might "leak" off of endpoints, systems, and networks and into the hands of bad actors. 

  • Honest mistakes: As we referenced above, company employees can also be offenders, unknowingly leaving data vulnerable in one way or another, and ultimately allowing it to leak into the hands of attackers. This could be the result of becoming an unwitting victim of a phishing campaign, reusing passwords or using unsophisticated passwords, or granting internal network access to supply chain partners or outside vendors.
  • Malware/ransomware: Attackers could have delivered malware designed to exploit a network vulnerability months ago – and had the luxury of not being discovered. In this scenario, they have the time to cherry-pick the data they wish to exfiltrate, and deliver a ransom demand for that data. And keep in mind that it might not end there; increasingly attackers are dipping into double-extortion strategies so they can try to extract the most money possible for their efforts.
  • Maintaining old data: Whether intentional or not – and if not, archived data should be stored as offline backups – maintaining data that has aged out of its usefulness can be a potential source of data leakage and a bigtime vulnerability. Even if the data is no longer useful to the security organization or company, it can still be very useful to bad actors. If an attacker manages to gain access to an endpoint, system, or network, archived data – such as old credentials or past emails containing sensitive information – could be exactly what they need to carry out an attack.
  • Cloud misconfigurations: This can also be attributable to human error, but if critical operations are, well, operating on misconfigured – and therefore inherently flawed – cloud infrastructure, then that data is exposed and therefore potentially “leaking” into multiple places like the public-facing internet or third-party servers.

What are the Benefits of a Data Loss Prevention Solution? 

The benefits of a DLP solution are clear and add up to the ability to better secure data from inadvertent exposure and theft. Let's break down a few key benefits and how they specifically affect a network. 

Increase Visibility 

The ability to monitor network endpoint devices and analyze traffic and interactions for suspicious activity will accelerate visibility of an overall environment and improve security posture. Monitoring a network for data loss can also help to eliminate previously unseen blindspots – internally and among devices connecting to a network – that were just waiting to be exploited.

Harden Networks with IAM Solutions

Identity and access management (IAM) is critical for a DLP solution and network security in general. IAM helps to ensure the right people are accessing the right endpoints or network systems. By instituting IAM policies on critical systems and endpoints, the network perimeter becomes harder to breach, which in turn can help the business remain in compliance with both internal and external regulatory standards.

Increase the Standard for Organizing and Classifying Data

Data classification should be as simple and straightforward as possible. Let's look at a tiered-structure example: 

  • Level 1: This is data for public consumption and that may be freely disclosed. 
  • Level 2: This is internal data not for public disclosure. 
  • Level 3: This is sensitive internal data that – if disclosed – could affect the company in a negative way.
  • Level 4: This is highly sensitive corporate, employee, and customer data. 

Based on this classification, it’s clear that storing the wrong data at the wrong level, or classification, could have potentially disastrous effects. If there is a situation where data of different classification levels must reside on the same server, intermixed data should be labeled and classified using the highest classification rating and thus protected accordingly. Automating this process will also help to ensure it occurs with efficiency and speed.

Data Loss Prevention Best Practices

Implementing best practices for a DLP solution will help to calibrate it to a specific environment. According to ISACA, there are many best practices that will help to ensure a DLP strategy is deployed successfully: 


  • Do not leave sensitive data unattended. 
  • Do not permit copying of sensitive data onto removable media. 
  • Provide view-only access to sensitive information. 


  • Implement a data management life cycle to organize data and manage storage and use. 
  • Regularly update data risk profiles to be aware of new threats. 
  • Standardize the endpoints to make deployment more manageable. 


  • Deploy DLP in prioritized waves for quick-wins. 
  • Start with a minimal base to handle false-positives, help identify the critical or sensitive data, and fine-tune DLP policies. 
  • Test implementation in a small, controlled unit before going full scale.

IT-restrictive controls 

  • Do not allow unauthorized devices in the network. 
  • Block files containing personally identifiable information (PII). 
  • Perform DLP discovery scanning at a desired frequency (or on demand) to audit and maintain awareness of the security status. 

Product selection

  • Check the DLP product to see if it supports the enterprise's data formats.
  • Scan data stores for sensitive information and, if necessary, take remedial action.
  • Use the DLP tool to automatically find unencrypted sensitive data, encrypt the information (Data Encryption), and remove the information or perform another remediation according to the enterprise's policies.