Answering Your Top DLP Questions
DLP is a process. There is no clear start point or end point for that matter. But its always good to start from where you can. Think of ways where you can plan out your work so that efforts put in will not go waste but compliment when the organization has money to implement a DLP solution.
For an example you can start with a Gap assessment on the DLP. Identify where you are. Compare your current status to the stipulations of the Cyber Security Framework of CB (wwww.link,,,). Start with a sample department. Identify data inflows outflows. Know what are the business-critical information the department posses. Agree on a base of classification with the team. By doing so you would invariably lesson the workload of future activities to come. Even if you are to face a CB audit, there is some progress made compared to none !
There are many challenges in implementing a DLP. Not only on the technological front but also the human aspects add to it. Starting off technologically it’s a call on the risk vs return. You spend a certain amount of money to curtail a risk. And if the risk is more its more money you pour in. Some solutions in the market are expensive, but yet upto an extend of compliance comes with the solution. E.g MS is an expensive DLP tool but if the company has E 3 licensing a component and with few add on’s a good 80% compliance can be met.
On the other hand implementing a DLP the support and understanding of the staff is a key factor. Each department has to understand and label the data correctly. Creating exceptions for each user on transmission would be a nightmare for the system admin. Policies needs to be set up and adhered.
In general the most challenges for the products arise when it comes to mobile users. Some products also face the challenge of browser-based access. On the other hand Microsoft based tools have an issue when accessing other applications apart from Microsoft breed. Although it’s possible to have solution for most of these issues the investment is of a concern.
Implementing a DLP is a process and not a destination. Hence the recommendation is to start on the groundwork without waiting for everything to fall into to place. This starts with data classification. Appoint a team, identify the critical data for each department and label it. Work so far doesn’t incur additional cost for the company. And nor does developing a framework with developing policies and procedures (which may need some professional assistance). This amounts to 80% of the pre work for a solution. Completing these tasks would help start the journey and an answer to audit committees who needs progress. By the time all ground work is done implementing a tool would become easy, and (hopefully) budgets would be in.
Copyright © 2023 Aion Cyber Security All rights reserved.