The Revival of DLP

Stephanie Gray
July 13, 2019


Over the past 12 months we’ve seen a large number of customers embarking on Data Loss Prevention (DLP) projects that either look to overhaul or optimise their DLP strategy. Despite the well-known complexity and difficulties that come with these projects, companies are still seeing it as a priority and challenge that needs to be addressed now more than ever. But why is this?


According to the Economist in 2017*, data is now the most valuable asset in the 21st century, outstripping oil (the most valuable asset of the 20th century). As individuals we experience organisations collecting data on us every day; banking, insurance, healthcare, social media, our employers and the list goes on. Thus, having control over where and when this data is used has become imperative for us all.

For the most part, we’ve seen governments and agencies recognise this and implement more comprehensive legislation that protects the public’s data and privacy.  One example of this being Australia’s Notifiable Data Breaches Scheme, making businesses more accountable for reporting when they have experienced a data breach and ensuring they notify the persons affected as quickly as possible so they are able to take any necessary action.

Further to this, later this year, the Federal Government has announced there will be major changes to the Australian Privacy Act. These updates will introduce additional powers for the Office of Australian Information Commissioner (OAIC) and larger fines for organisations that are found misusing personal data. Organisations will potentially face $10million or 10% of their annual domestic turnover in fines (depending on whichever is greatest), if they are found to be misusing individual’s personal data. These updates will bring the Australian Privacy Act more in line with the General Data Privacy Regulation (GDPR) that came into effect from May 2018.

Most recently we’ve seen for the first time a past data breach has had a negative effect on its Moody’s rating^, with Equifax’s outlook being moved from ‘stable’ to ‘negative’ due to its data breach in 2017 and the ongoing fallout from it.


So, as individuals are looking to companies to ensure that their personal data is protected and accounted for, how are organisations actually addressing this? Do they have visibility of where their data resides? Do they have the correct controls in place to identify critical data and to detect when data is lost or maliciously removed?

These are all questions that an organisation looks to answer but often run into hurdles, which make the process difficult and frustrating.

  1. It’s complicated – Companies are often battling with complex infrastructures that have a blend of legacy on-premise systems and cloud-based applications.
  2. It’s not classified – Classifying data within an organisation is time-consuming and difficult, but is necessary when undertaking a DLP project in order for it to be successful. Many businesses have some kind of legacy data classification structure in place
  3. It’s uncontrollable – Most businesses have an idea or know what controls and data loss prevention policies they have/would like to have in place but have trouble enforcing them.


Start with the basics

What data classifications does your organisation need? What makes sense to your business and what is most important? Many businesses come across hurdles when they haven’t fully understood the DLP requirements their organisation has and therefore find they are forced to use a technology that does not work for them. It is important that a thorough scope of the project is completed before a DLP or CASB solution is evaluated. Think about what your business is trying to solve and do you have the complete picture of your business-critical data before you embark on the project. Which brings us to our next point…

Speak to your stakeholders

Speaking to other stakeholders of the business such as; legal and HR, gives you valuable insight into where your business critical resides, who is accessing it and how it is used. This is invaluable for the start of any DLP project. No matter how well you think you know your company, you might be surprised at what you find when you delve a little deeper under the hood. This intel can help you determine what processes and controls need to put in place and mitigate risk across the organisation. It also means that you are able to prepare and minimise any disruption to the organisation during DLP implementation.

Phase it in

Companies will often attempt to deploy DLP solutions all at once, without taking into consideration potential business disruption. By taking a calculated phased rollout, businesses can help to minimise disruption and tackle any potential issues one at a time. Completing the deployment in phases also gives organisations to learn at each stage and make adjustments where necessary. Thus making the project progress more smoothly and gain confidence from other stakeholders and senior management.

Stay tuned for next week’s article where we’ll share how we work with our customers to assess their current DLP capabilities, by mapping their business needs against their current technology stack and giving them actionable insights into how they can improve their DLP strategy.

*The Economist – The worlds most valuable resource is no longer oil but data

^ CNBC – Moodys downgrades Equifax outlook