Many organizations considering data loss prevention focus on technology to address the need.  While you can “buy” DLP enforcement technologies, data loss prevention is more than a product.  Data loss prevention is a process and one step in that process is the purchase and deployment of technologies to enforce an organization’s data protection strategy.

Some people think I’m splitting hairs with this thinking, however, after having seen dozens of good and bad DLP strategies, I’m convinced my argument is sound.

Since DLP is a process it’s important not to get caught up only in the technology side.  For many companies, this is a real tendency because many DLP projects are handed off to IT to deal with as an IT problem.  The reality is that data loss prevention is a risk management and compliance problem that happens to utilize technology as a major method of policy enforcement.  

Because it’s a process, it’s important to complete each step.  Like the proverbial three-legged stool, to leave out one step can lead to serious negative consequences.

At DLP Experts, we promote a five step process to our customers for a successful data loss prevention initiative:

1. Assess.  Assess current situation, identifying critical data and major concerns. –What data should be protected? –Where is the data located? –Who should have access to this data? –What are the major data leakage points?
2. Create.  Create a comprehensive data protection plan and written data protection policy. –Use the data from the assessment as a guide. –Prioritize your critical data and start with a policy to protect that first, building to other key data. –Your data protection plan is dynamic and you can always update it in the coming months.
3. Promote.  Promote the data protection plan and policy among all employees, contractors and vendors.  –This is the single most important step in protecting critical data. Most data breaches are unintentional, so getting staff to be vigilant is key. –Get signed acknowledgement from employees that they understand the policy—and the consequences for failing to follow it! –Consider formal training.
4. Enforce.  Implement technologies to enforce the data protection plan and policy.  –Consider all existing technologies in your network. You likely have some elements of DLP in your arsenal:  encryption and email content filtering are fairly common. Make use of them. –Configure enforcement technologies to best mirror your new policies. 
5. Maintain.  Maintain and update plans and policies based on changing business needs. –Monitor enforcement technology reports. –Conduct regular extrusion testing. –Provide annual data protection training.

The next time someone in your organization says, “We need to buy DLP,” make sure they read this! 😉