What is Data Loss Prevention?
Data loss prevention (DLP) is a set of policies and controls put in place in order to avoid the loss of critical corporate information. The aim of DLP is to prevent the loss, the unauthorised access and the general misuse of critical and confidential data. Data loss is a significant risk for businesses today due to the ever increasing amount of electronic data stored and exchanged on the network. Last but not least, having a DLP strategy can help you achieve GDPR compliance if you deal with personally identifiable information.
What Are the Consequences of Data Loss?*
- 94% of companies suffering from a catastrophic data loss do not survive – 43% never reopen and 51% close within two years. (University of Texas)
- 7 out of 10 small firms that experience a major data loss go out of business within a year. (DTI/Price waterhouse Coopers)
- 25% of all PC users suffer from data loss each year (Gartner)
Data Loss Risks
There are several risks to be considered when addressing the issue of data loss. The main risk is linked to the employees of a company because they have direct access to the data. Moreover, they are given a business laptop to work outside of the office that also contains sensitive data. In the event of a loss or a theft, the data will be left accessible and this poses a serious threat to the company’s reputation.
Another significant risk is a lack of processes to classify and control the access of the data so it can be monitored effectively. A mapping of data assets should be carefully documented in order to visualize the data flow for better controls. Moreover, user access controls should be implemented to make sure that only authorised users have access to sensitive and confidential documents. These two measures significantly reduce the risks of data loss.
A targeted cyber attack could also lead to the loss of data. Lately there has been an increase in ransomware attacks. While these attacks do not directly target specific data, there is still the risk of data loss considering that the data stored is encrypted. If the ransomware spreads to several systems and there is no data backup readily available, the data will be considered lost. Another major electronic assets is the database where data is commonly stored. In this scenario, a “brute force” attack aimed at gaining unauthorized access can also lead to data loss.
What data needs to be protected?
There are three main types of critical data that is used for daily business operations: business data, customer data and intellectual property data.
Business (HR documents, employee details, business plan, financial data, products and services offered)
Customer (personal Information, banking Information, payment Information)
Intellectual Property (design documents, trade secrets, R&D, software source code)
Policies to set up a DLP
In order to consider a successful DLP strategy, several questions need to be addressed. On the one hand, it is critical to know exactly where the data is located and who has access to that data. On the other hand, it is important to consider encryption and regular backups to protect the data. Employees should also be made aware of the security policies regarding the protection of data. It is also essential to set up an incident response and disaster recovery process. Last, but not least, regulations around data protection and data privacy should also be taken into account when setting up a DLP policy (EU GDPR, Data Protection Act, ePrivacy).
Data loss poses a critical risk for organisations because electronically stored data is considered a business asset. Moreover, a data breach could seriously damage the reputation of a business especially if personal or client data is involved. Furthermore, the financial cost of a data loss could jeopardise the entire business.
Therefore, the issue of data loss should be raised frequently given the impact it can have on both the technical and financial side of a business, not to mention its reputation. There are a set of laws and regulations around this topic that should not be forgotten to achieve compliance, especially GDPR, which will help you to build trust with your clients.