Fabian Glöser, Team Lead Sales Engineering Nordics, Central & Eastern Europe at Forcepoint (Source: Forcepoint)​

Many companies find it difficult to maintain control over their data, especially since employees are increasingly working remotely and using a wide variety of cloud services and AI tools. Data loss prevention (DLP) can prevent the leakage of sensitive information, but its implementation is considered complex and time-consuming. Security specialist Forcepoint explains how DLP projects can be carried out smoothly.

The amount of data in companies is growing, and with it the challenges of protecting that data. This is because data is no longer primarily stored on well-secured internal servers, but constantly flows back and forth between end devices inside and outside the company network, local infrastructures and clouds, and new AI tools. Traditional security concepts cannot keep up with this diversity and dynamism – companies must focus on the data itself and regulate in detail what can and cannot be done with it. Data loss prevention (DLP) solutions help with this. Based on Forcepoint’s experience, the following approach has proven successful when implementing such solutions:

• Step 1: Define goals and use cases
• First, companies must clarify what goals they want to achieve with the introduction of a DLP solution: Is it about protecting valuable intellectual property or regulatory requirements, for example with regard to data protection? Should a secure basis for hybrid working models be created, or is the focus on the introduction of new cloud services and AI tools that should not lead to data leaks? Based on this, companies can create a risk profile that includes, among other things, the various types of data that need to be protected. cloud services and AI tools that should not lead to data leaks? Based on this, companies can create a risk profile that includes, among other things, the different types of data to be protected, the channels through which it can leak, and the consequences of data leaks.
• Step 2: Draw up an implementation plan
• Once it has been determined which data and channels are to be protected, a roadmap for the introduction of DLP can be defined. To do this, companies must get all stakeholders on board and clarify responsibilities, such as who will take care of installation and integration into the existing infrastructure, who will optimize policies, and who will handle incidents. Together, a schedule can then be developed that takes into account the available human resources and also allows time for testing.
• Step 3: Define guidelines and workflows
• Once the project management preparations are complete, the guidelines that the DLP solution will later enforce can be worked out. Experts from the specialist departments should be consulted to help assess the impact that data loss or theft would have. Based on this, actions can be defined for activities such as sending data by email or uploading it to the cloud. For non-critical data, logging is usually sufficient, while for other data, depending on the channel and criticality, a warning, an approval process, or blocking the action may be possible. Encryption can also be enforced, for example when saving documents to USB sticks. It is important that the actions are initiated as automatically as possible in order to relieve the security team and avoid delays for users. Only events with unknown consequences should require manual intervention: The corresponding workflows—who looks at the incident? Who decides on the measures?—are also defined in this project phase.
  Step 4: Introduce DLP and use it for monitoringNow comes the actual installation and configuration of the DLP solution. Before it is fully activated and the policies are enforced, it should initially be used largely passively – for monitoring only. This gives companies insight into all data movements and the potential impact of their policies. If these prove to be too restrictive, adjustments can still be made. Only policies that relate to highly critical activities, such as the mass upload of data to suspicious destinations on the Internet, should actually be enforced at this stage. In addition, it often makes sense not to start using DLP company-wide right away, but rather with a channel such as email or the cloud, with a specific department, or with a specific region.
• Step 5: Begin enforcing policies
• Once the policies have been fine-tuned, they can finally be enforced—here, too, it is advisable to proceed step by step and start with the most critical data and channels, for example. However, it is still advisable to keep a close eye on monitoring to ensure that employees are not hindered in their legitimate activities and that policies can be quickly adjusted if necessary. It is also ideal if the DLP solution does not rely on rigid policies, but takes the context of activities into account and modifies policies according to the risk. After all, it is often only the context that reveals whether an action is harmless or critical to security, for example, because the user is accessing data at unusual times or from unusual locations, or suddenly downloading significantly larger amounts of data than in their previous daily work routine.
• Step 6: Make optimizations
• Once the actual DLP implementation is complete, it is time for analysis and optimization. If, for example, certain risky behavior patterns emerge among the workforce, companies can schedule targeted training courses on this topic. In addition, the effectiveness of the guidelines should be continuously reviewed. Ultimately, data security, like DLP implementation, is not a one-time action that is completed at some point, but should be continuously optimized to keep pace with new technologies, tools, data types, and threats.
• Step 7: Deploy DLP company-wide
• The DLP implementation is completed by extending protection to the remaining data types and channels that were not yet covered in steps 4 and 5. If a modern DLP solution is used, the existing policies can be easily applied to other channels, which is why the effort involved is manageable. If necessary, existing policies can also be replicated and adapted if a channel has special requirements.
• Step 8: Extend DLP to DPSM
• Expanding a DLP solution to a complete Data Security Posture Management (DSPM) can significantly improve the effectiveness of policies. DSPM offers functions for automatic data discovery and data classification, so companies don’t overlook any data assets and have less manual effort. In addition, DSPM helps to detect and eliminate excessive permissions for files, further reducing the risk of security breaches. This makes it easier to implement least privilege principles. Last but not least, DSPM also identifies data that is redundant, outdated, or unnecessary and can be deleted to reduce storage costs.

“Implementing DLP is not a mammoth project, as many companies fear,” emphasizes Fabian Glöser, Team Lead Sales Engineering Nordics, Central & Eastern Europe at Forcepoint. “A structured approach ensures that human resources are used optimally and that the project goals are not lost sight of. Modern DLP and DSPM solutions also use AI for data classification and come with a ready-made set of policies, which significantly reduces manual effort. In many projects, we have completed data discovery and classification after just two to four weeks, know what happens to sensitive data, and can enforce the first company-specific policies.”