Data loss prevention (i.e. preventing loss, leakage and exfiltration of confidential data) is not just a technical matter – it is equally important to involve employees, as the DLP measures will not work without them. These approaches are promising.
Text: Andreas Heer, 18 june 2019, updated on 13.02.2024
Data loss can happen quickly: the e-mail sender is in a hurry, selects the wrong recipient and, before they know it, a confidential product presentation has been revealed to the outside world. Or business data in cloud storage is shared with the entire outside world. In addition, there are cybercriminals who use social engineering and phishing to gain access to business information.
As these examples show, protecting confidential company data is both complex and important. As the name suggests, Data Loss Prevention (DLP) – also referred to as data leakage prevention – describes all measures intended to prevent unwanted loss, leakage or exfiltration of company information. Compliance requirements arising from regulations and data protection laws such as the new Swiss FADP play an important role in this as breaches can lead to heavy fines. But the company’s reputation is equally important, since it helps to generate trust among customers. ‘Customers rightly expect companies to treat the data entrusted to them in a confidential manner,’ says Raffael Peluso, Head of Product Management Cybersecurity at Swisscom. A data breach can thus also result in the business losing customers.
At the same time, data is becoming increasingly important for companies as a result of digitalisation. Intellectual property stored digitally must be kept hidden from outsiders, as must a product roadmap that could give a rival a competitive advantage. Again, DLP measures are required.
The examples described above, with the wrong e-mail recipient and careless release of data, show that DLP must include a combination of technical measures, processes and employee awareness. It may have been technically possible to prevent dispatch of the product presentation. But employees who are trained in handling confidential data know that they should not send such documents by e-mail or share them unprotected.
IBM’s Cost of a Data Breach study shows the importance of raising awareness alongside technical measures; in 2023, 60 per cent of all data thefts worldwide also involved human error. When informed employees apply their knowledge in their daily work, this security awareness minimises the risk. In other words: awareness equals protection.
There are various ways to train employees, some easier than others. ‘My experience is that e-learning is well suited. For example, in the form of educational videos with final test questions or with phishing training,’ says Raffael Peluso. ‘The training should be accompanied by other information campaigns; for example, on the intranet.’
Security awareness measures such as these help to promote understanding of how to handle confidential data – and also of the necessary guidelines, processes and technical protective measures.
But you cannot guarantee complete security. If an employee has criminal tendencies, they will find a way to get around the protective measures. Raffael Peluso, too, does not have any illusions about this: ‘Like any security measure, data loss prevention is a trade-off between effort and residual risk.’
He believes that the success of data loss prevention depends on how it is implemented: ‘The measures must not interfere with day-to-day operations. Otherwise, employees will be reluctant to accept DLP and will find creative ways to bypass it.’
Newsletter
Would you like to regularly receive interesting articles and whitepapers on current ICT topics?
More on the topic