Email data loss prevention

What is Data Loss Prevention (DLP)?

by Egress
Published on 5th Jan 2022

Data loss prevention (DLP) software is a critical tool for any organization looking to protect sensitive and valuable information. Whether you are a small business owner, a corporate IT professional, or an individual working from home, DLP software can help you safeguard your data from accidental or intentional loss.

At its most basic, DLP software works by identifying and protecting sensitive data as it moves through your organization's networks and systems. This includes everything from emails and documents to financial records and client information. DLP software uses a variety of techniques to identify and classify data, including keyword searches, data fingerprinting, and pattern matching.

Once sensitive data has been identified, DLP software can take a number of actions to protect it. This might include blocking the data from being transmitted or shared, encrypting the data to prevent unauthorized access, or alerting the appropriate personnel when data loss is detected. This is particularly helpful for law firms and investment management firms seeking to enforce information barriers.

DLP software is an essential part of any comprehensive data security strategy, and it is important to choose a solution that meets the specific needs of your organization. In this blog, we will explore the various features and capabilities of DLP software, as well as how to choose the right solution for your business.

What kinds of data loss prevention software exist?

There are three types of data loss prevention software: Network, endpoint, and cloud. All three deliver the same results (data protection), but the methods used vary from one type to the next.

Network DLP

Network DLP puts a secure perimeter around the data in motion on the network, as the name indicates. This solution tracks and monitors data as it moves on the company’s network, as opposed to the endpoints.

So, if a user attempts to email sensitive information while on company’s network, the network DLP security would then carry out one or more of several pre-programmed actions, such as encrypting, blocking, quarantining, or auditing the email. It can also notify the administrator of the attempt to send information over email.

Network DLP solutions are effective when a computer is connected to a network, but its safety net doesn’t extend to laptops and devices on-the-go, away from the network.

Endpoint DLP

Endpoint DLP doesn’t operate on the network where the data is in motion. Instead, it is installed on each individual device, which is where the endpoints of the network reside. Endpoint DLP security monitors data as it moves to and rests in these endpoints regardless of where they are or how they’re connected to the network or internet. It can even detect when sensitive data is saved unencrypted in the files on the devices.

Endpoint DLP offers more blanket protection than Network DLP, but it also requires more management. Each device needs to have the Endpoint DLP security software installed on it. This can be challenging logistically when organizations have remote staff. The time and attention required to manage and maintain an Endpoint DLP system should also be considered.

Cloud DLP

Cloud DLP is like Endpoint DLP, but it enforces the rules of the DLP rules and policies on select cloud accounts. It does not form a perimeter around a traditional on-premises network like Network DLP does. Instead, it integrates with cloud tools like Office 365 and Google’s G Suite (and many others).

This allows your staff the convenience and security of using cloud apps and cloud storage without risk of data breach or loss.

Limitations of traditional DLP in security

The most frustrating aspect of working with traditional DLP running is its lack of flexibility and the fact that false positives can be high. This happens because the software is rigid by design. DLP’s biggest strength is therefore also its key weakness.

Say, for example, that you have hired a freelancer, and you need to share data with that person. This is legitimate, but if the freelancer’s email and website is hosted on a shared server that your DLP software has blacklisted, you may be in the difficult position of finding a workaround to communicate. IT administrators therefore often find themselves in the unenvious position of creating different rules for different users, which ultimately cannot scale across medium or larger organizations, and takes time to implement (which can be frustrating for users that "need to send this email now"). Often, this leads to DLP rules being relaxed over time, weakening an organization's security posture.

Additionally, traditional DLP will not stop all data breaches, such as phishing scams and misdirected emails. Lexicons of words to identify and flag incoming emails as potentially suspicious helps to a degree, but it cannot prevent 100% of phishing incidents, nor can it stop all cases of accidentally sending an email with sensitive information to the wrong person within or outside the organization. Traditional DLP software has to know what to "look for" in order to prevent data breaches, which means it cannot detect emerging use cases or outliers without being pre-programmed/updated.

Note that these limitations are specific to traditional DLP security. Advanced data loss prevent software packages, such as those offered by Egress, virtually eliminate the limitations of traditional DLP.

Take the example of misdirected emails (some call this “fat finger error”). Egress Prevent prompts users when they include a recipient that is outside of their normal pattern but who they are technically authorized to email under other circumstances. For example, the sender is authorized to share financial data externally but never normally sends it Person A at Company X; they usually send it to someone with a similar name at the same company.

They are legitimately allowed to email both recipients; they just normally share different types of data with them. Egress' intelligent DLP will prompt the sender to ensure only authorized recipients are contained within the email, stopping emails from landing in the inboxes of the wrong recipients. The software scans email text and the contents of the attachments to detect potential data breaches before they happen.

Which data loss prevention system is right for me?

Different situations require different types of DLP software. In general, if you are unable to exercise a high amount of control over individual devices within your system, it’s likely that you’ll have to choose a network DLP system. Network DLP is faster and more simple to organize – however, it is worth remembering that protection will not be as thorough as endpoint DLP.

However you choose to protect your system, it’s important to remember the advantages offered by more intelligent DLP solutions. Egress Prevent software helps to eliminate potential risks in your system and covers gaps that traditional DLP might leave exposed – including human errors such as misdirected email.

By using contextual machine learning, it’s able to recognise when your employees are about to cause data leaks – either intentionally or accidentally. With prompts to encourage users to practice secure and responsible handling and comprehensive administrator monitoring and analysis tools, Egress Prevent helps stop breaches before they happen.

The advancements that Egress has made in the content analysis and contextual machine learning aspects of data loss prevention software help take the human element out of security decision-making. People develop tech-fatigue, where they perform the same actions over and over (like sending and receiving emails). The repetition lulls them into feelings of familiarity and comfort. Not carefully reading emails before clicking links or double-checking the distribution list before clicking the send button is how mistakes happen. Egress Prevent eliminates these errors.

What other data leakage prevention tools do I need?

Alongside traditional DLP software, it’s advisable to introduce email encryption and anti-phishing software to protect sensitive information. Data that’s handled between colleagues or shared with external clients or suppliers needs to be kept secure.

Egress Prevent is part of the Egress Intelligent Email Security suite, which also encompasses Egress Protect which offers highly secure email encryption that gives you total control over the information you handle and Egress Defend, an anti-phishing tool. Together, they create a safety net around every user. They keep your data safe and protect your customers and organization, without burdening your information security or IT staff.

Learn how the Egress Intelligent Email Security suite can protect your business from the risk of misdirected emails and files.

Related articles