Data loss prevention (DLP) is a powerful technology that can protect organizations against disclosure of sensitive information by employees, contractors, or other authorized (or unauthorized) users. The best DLP tools automatically discover information, classify it, and use warnings, challenges, or service denials to prevent people from doing things like downloading sensitive data to thumb drives or uploading data to unknown cloud applications.
But implementing a DLP solution is only part of the process of protecting your vital information. It should be accompanied by an education campaign, ongoing awareness training, and communication that teaches employees about the value of data protection and the consequences of failure.
One of the biggest security problems enterprises face is internal threats. A 2016 PricewaterhouseCoopers survey found that 72% of security incidents at financial services organizations involved a current or former employee. In many cases, these types of disclosures are unintentional, a byproduct of our increasingly mobile workforce. More than 5 million smartphones were lost or stolen in 2014, and 1 in 10 laptops is stolen each year. Add the millions of USB drives that disappear annually, and you can understand the growing risk of losing sensitive data.
Without education and explanation, users may come to regard DLP as just another Big Brother tactic, something to resist. There are some tried-and-true techniques you can use to get them on board.
Raise awareness of the problem. The news media carries reports of new data breaches almost daily. Make sure your employees know about them. Try sending a regular email roundup or posting news and tips on a bulletin board in common areas. Be sure people know about the financial consequences of data loss. IBM has been studying this for years, and says the price tag is up to $4 million per incident. That doesn’t include disruption from lawsuits, regulatory penalties, bad publicity, and layoffs. Damage to the organization hurts everyone who works there.
Train and repeat. You don’t need half-day seminars to communicate the importance of protecting corporate data. Host a lunch-and-learn every six months where you outline the threats, explain good practices for protecting data, and answer people’s questions about DLP technology and policies. Underline the fact that your initiative is intended to protect corporate assets, not spy on people.
Empower your end users. A mature DLP program lets you create policies for intercepting and managing exceptions. Avoid taking a heavy-handed approach. Users may think nothing of downloading sensitive documents onto risky sources, like thumb drives or cloud file-sharing services, in order to get work done outside the office. They need to be made aware that their actions may increase organizational exposure. Use notifications to guide them. Warn first with a pop-up window and guide them toward safer actions. Only block them if they ignore or override multiple warnings. Also, be prepared to modify your policies based upon the user and the situation.
Communicate and improve. Before you even begin a DLP initiative, put channels in place to communicate among stakeholders and create a feedback loop for policies and practices. Be prepared to make changes and move incrementally toward a process that balances protection with business needs.
Model positive behaviors. If your top executives publicly and fully support your DLP initiative, others will fall in line. Invite members of the C-suite to attend and speak at lunch-and-learns. Encourage them to publicly recognize your firm’s progress in protecting data. It’s even OK to ask them to “fess up” if they’ve been warned, and to share what they have learned.
Awareness is your most potent tool for shoring up your defenses. You can’t communicate often enough with everyone who’s affected by your DLP initiative. The more involved people are across all parts of the organization, the faster they will buy in.