Data loss prevention (DLP) is one of the cybersecurity industry’s oldest categories, but it’s still a bit of an enigma as many IT professionals have a hard time describing exactly what DLP does.
DLP sub-divides into two parallel streams: DLP technology, and DLP strategy. DLP technology is what most people think of when it comes to DLP solutions and while technology is an important part of preventative security, you can’t truly achieve it without strategy. Enterprises are more apt to have an established DLP strategy simply because large enterprises tend to have a stronger security maturity, and the process, controls and in-house expertise that go along with it.
Small to midsize enterprises tend to focus on DLP technology first, as they generally face a lower security maturity ranking, restricted resources and less budget. As a result, they turn to on-premises software or cloud service providers that offer more “all-in-one” services, including DLP controls. However, resource-constrained IT teams in midsize enterprise usually don’t have the time or expertise to manage software or service provider controls or worse – they assume the out-of-the-box configuration is the ideal configuration or that the service provider is managing it on their behalf.
I recently sat down with Anand Mohabir, Founder and CEO of cybersecurity solutions consulting firm Elteni, to talk about DLP trends in midsized enterprises.
James Mignacca (JM): Where does DLP market confusion stem from?
Anand Mohabir (AM): DLP is a blanket term that’s broadly used to describe a variety of services and platforms – it’s kind of a catch-all. The traditional definition of a DLP solution is one that protects and prevents data from getting lost or stolen, but it doesn’t always stop someone from taking data. DLP itself isn’t a product or service; it’s an approach to prevent data loss. DLP strategy includes a number of things like policies and procedures, actions and technical components like tools and technology. A lot of companies believe they’re ‘doing’ DLP because they have a DLP tool or SaaS in place, but you can’t have true DLP without having a defined strategy.
Related read: How to Avoid Data Loss From a Natural Disaster
JM: Is DLP accessible to SMB?
AM: Sure – lots of DLP tools are available to small and midsized enterprises, but unfortunately DLP strategy is harder to achieve. Enterprises tend to have greater security maturity and they’ve got more dollars and in-house expertise to throw at strategy. Small and midsized businesses struggle to find dedicated expertise and outsource the function of DLP to service providers or their cloud services assuming DLP will be covered. While teams get the licencing to implement DLP controls they don’t end up using them because they don’t have the expertise, appetite or knowledge of how the controls will function in their environments; it’s just too challenging.
JM: What operational or security gaps does that create?
AM: It’s a big deal; for most companies, their primary goal is to protect intellectual property and personally identifiable information (PII). But by not using their tools to the fullest they’re failing that objective. There’s a misconception when it comes to large cloud service providers too – teams assume that the provider is protecting their data, but they just offer the capability. The business has ownership of actually executing the controls.
JM: Where should small and midsized businesses start? Is DLP strategy achievable?
AM: DLP strategy is achievable on a sliding scale, but businesses need to start by thinking holistically and recognizing what’s available to them in terms of capabilities, expertise and budget. Once they identify the problem they’re solving for and what kinds of data they’re trying to protect they can get a clearer picture of the data they have and create an inventory. It all comes down to getting a handle on your data. Understanding what data you have goes a long way to protecting it. Smaller businesses struggle with the inventory piece and being able to capture all data across the network and its endpoints; that’s where a solution like Cavelo can help.
JM: Why should businesses invest in DLP strategy and technologies?
AM: At its core, DLP addresses many general areas of concern. It gives businesses of all sizes the visibility they need to support compliance requirements. From an auditing perspective, businesses need to show that they’re complying with the policies they’ve written and that they’re performing the actions required to keep data safe. A platform like Cavelo works within DLP strategy – it gives insight to where data lives on the network, its classification, the systems it’s used in, and who has access to it. Really, it helps answer a lot of questions and works in complement with other tools and technology at a defense level, and that’s the prevention piece in DLP.