How to successfully implement a DLP solution in a company in one hour?

• What are DLP solutions, and why do we need them?
• Step one – what do I want to protect?
• Step two – what are the safe zones?
• Step three – ensuring protection

Let's start with the simplest thing: what are and why do we need DLP solutions? Let's imagine that our best, most trusted and (worst of all) having access to most company data employee gets an interesting job offer directly from our competition. In such a situation, if they decide to start cooperation with the competitor, it seems logical that they will want to take some of the effects of their work "with them". Reality shows that employees rarely understand that “their customers” are their company's customers. The projects they implement are also not "theirs". The rules (e.g. bonus settlement rules) are company documents, and confidential documents, even though they had access to them before, should remain within the company. A prudent owner/administrator – understands the need to protect key data, and employee training becomes a natural response. The point is that employee training is not enough nowadays. Like against hacker attacks, we defend ourselves by implementing UTM solutions – similarly, we implement DLP solutions against human errors and potential threats from within.

So let's assume that the administrator made a bold decision: we must protect our data. Therefore, we decide that we want to implement the DLP solutions in the company. We want to know how employees work and ensure that company data remains in the company. What comes next? Next, we need to answer a few fundamental questions that will help us properly implement DLP.

Step one – what exactly would I like to protect?

In the first step of implementation, we need to define which elements/files/content we process in the organisation are the ones that should be protected. What kind of data are they? Personal data, data about our employees (including salaries), know-how, ongoing projects, customer database, CRM data, documents... in fact, each organisation has its areas that it wants to secure and – unfortunately – very often the administrator is not sure what these areas are. Hence – the most popular technique is to determine which data need protection (e.g. personal information) and then monitor all other files that leave the organisation – so the activity of employees on files can help us determine which data requires protection. Of course, you can consult the business site of our company to identify the elements subject to protection. However, monitoring files leaving the organisation to find out whether this file can leave the company is always good practice.

Step two – what are the safe zones for protected files?

At this stage, we could simply protect key data – without specifying the so-called safe areas (safe zones, employee rights, etc.) – but such an approach would primarily result in the fact that the protected file cannot be sent by e-mail. Why? Because at this stage the system does not know that a given file CAN be sent by e-mail inside the company. If we protect it, the employee cannot attach it to the e-mail. Therefore – before attaching a file classified as important. It is necessary to define these safe zones, such as the company domain, specific applications, selected clouds or network sites, to exclude the previously defined areas at the next stage (i.e. putting the file under protection).

Step three – Protecting key files – the need to educate employees.

In the beginning, I mentioned that employee training is also essential (from the point of view of data protection). At the stage of implementation of the DLP solution, it is important to remind the rules prevailing in the company regarding key documents and give employees time to learn from specific examples. It is worth implementing the DLP solutions in such a way that the employee can still "leak" the protected file– because maybe from their point of view, it is necessary for the company's business or (what is more likely) they do not know that such a file should not be leaked. For this purpose, the "educate" option has been implemented in the Safetica solution, which will not so much block the possibility of, e.g. sending a file outside the organisation but will instead inform the employee that they should not do so. However, it allows the employee to "bypass" the security policy if, of course, they will be able to justify this decision. Only at the end of the implementation can the "education" policy be replaced by a "blocking" policy, which will block the possibility of leaking the file.

Summary

Implementing DLP in a company does not have to be difficult, laborious and does not have to consume a lot of resources. Solutions are available on the market, the configuration of which should not be a major problem. Sticking to the above scheme may allow us to protect our environment without much effort.