Why Isn’t My DLP Investment Paying Off?

It’s a common scenario: a large organization invests millions of dollars in a DLP solution, only to leave it in “watch mode” because the rate of false positives is too high to enable full blocking. The result is a DLP investment that becomes a white elephant: a promising technology that does not pay off in actually preventing data loss.

The problem often begins with an over-reliance on automated scanning to prevent data loss. The DLP system is expected to automatically identify all sensitive content, which requires IT administrators to translate business processes and policies into automated rules for every data loss scenario. This is an impossible task, which usually results in overly restrictive rules that block non-sensitive data (false positives) or overly permissive rules that mistakenly release sensitive data (false negatives).

The impact of false positives can be just as detrimental to the business as the data loss caused by false negatives. False positives disrupt business agility and productivity, and can impact collaboration, innovation, and business growth. As well, false positives can actually lead to increased data loss, with users looking for alternative, less secure methods to get around restrictions and carry out their business tasks.

The best way to address this problem is for organizations to identify their information appropriately. The sensitivity of each piece of information must be identified, or ‘classified’. Information classification is crucial for proper handling, and for the ultimate security of an enterprise’s information. Classification provides context to unstructured data such as email and business documents, making it possible for DLP solutions to know how to protect your organization’s sensitive information.

While most DLP solutions offer some level of automated classification, it is critical to also engage your end users in classifying their own content. In many cases, users know exactly which information is sensitive and how it should be handled. This knowledge is based on the user’s familiarity with the subject matter, something that is not easily duplicated through automated content scanning.

There are several ways to involve users with classification, but the most common method is to prompt the user to select from a list of pre-configured categories before they can send, save, or print an email or document. For example, a user may be prompted to indicate whether the information is “Confidential”, “Export Controlled”, or “Attorney-Client Privileged” via a simple one-click interface.

By enabling users to identify information sensitivity, the organization does not have to rely solely on automated content scanning to determine what is sensitive. The originator, who knows the content best, can pro-actively indicate that the information is sensitive, without having to take a chance that the DLP content scanning engine will categorize it correctly.

By making classification the foundation of your information protection strategy, organizations can obtain several benefits:

1) Accuracy: Persistent classification metadata can be added to the document or email, which DLP systems can read to make more accurate and consistent decisions about a file’s sensitivity and content.

2) Accountability: Users become more accountable for data protection because they are involved in the classification decision. They become key partners in identifying sensitive information, rather than putting all the responsibility on the IT department.

3) Awareness: Classification labels can be added to emails and documents to make users aware of sensitive content. For example, a document can be clearly labeled as “Confidential” in the document header and footer.

4) Efficiency: DLP system throughput improves because deep content inspection is no longer required for documents that are already classified as sensitive or confidential.

5) Automation: DLP solutions can use classification labels to automate the application of encryption, digital rights management (DRM), and other technologies to protect sensitive information. The DLP solution can also automatically enforce policies such as preventing the copying of sensitive files to USB drives.

These benefits help make the DLP solution more effective, and will enable organizations to take their DLP out of “watch mode”, and into what Aberdeen calls “Adapt/Protect” mode. An Adapt/Protect approach provides active, fine-grained controls to enforce security policy. Rather than just monitoring security violations, or going to the other extreme of blocking anything that looks sensitive, an Adapt/Protect approach applies appropriate protection without disrupting business productivity. According to Aberdeen, accurate classification of sensitive data is an important part of this approach.

TITUS provides a number of data classification solutions that help organizations identify and classify sensitive data, including:

When combined with a DLP solution, the TITUS classification solutions make DLP more effective and efficient. With user-based classification as a first step, DLP solutions can leverage TITUS classification metadata to enforce consistent, fine-grained permissions over sensitive information. No longer do you have to leave the security of your most important corporate asset – your information – to machines and the IT department. The result is a DLP solution that truly prevents data loss, without compromising business productivity.

Leave a Reply