• Unlock Free Access to Threat Intelligence Training Now!
  • Get Started
SecurityTrails Blog · Nov 03 · by Sara Jelen

Understanding Data Loss Prevention - DLP

Reading time: 11 minutes
Listen to this article

Data loss has long been a serious issue for businesses of all sizes. Yet despite growing awareness surrounding the issue — and the security measures taken to prevent it — the number of data breaches continues to grow every year. Even worse, losing data isn't only just losing data: it also brings with it financial impact, loss of customer trust, corporate liability, loss of current and future business, and often some very hefty legal fines.

Traditional security controls such as firewalls, physical controls and network segmentation do help to keep malicious actors out of the network, but what about the inside of the network? After all, within your organization there are people with authorized access to sensitive data, and recognizing their intentions isn't easy. The danger often comes from within, and organizations need to maintain visibility over their sensitive data, including how it's interacted with, and who has access to it. This is where data loss prevention comes in.

It's a term that's often thrown around, and with such a wide scope it can be difficult to define. But that's precisely what we'll do today.

What is data loss prevention?

Data loss prevention, or DLP, is a set of procedures and tools used to prevent data loss, by ensuring that an organization's data isn't misused or accessed by unauthorized users. Organizations use DLP to both secure their data and to comply with regulatory requirements.

The term DLP is mostly used for tools and software that classify critical data and control data transfer to protect it from unauthorized users, and to prevent authorized users from accidentally or maliciously sharing data and putting the organization at risk. The data is classified according to the organization's business rules and policies, which are typically driven by compliance (GRPR for example).

DLP tools monitor different entry points on a network, such as endpoints, email servers, and gateways; and also control data transfer between users and external parties. They also secure data at rest, in motion and in use and control that activity, monitoring for any potentially malicious data transfer or use. For example, DLP tools would flag an activity such as an employee transferring corporate files to an external device, or forwarding an internal email outside the organization.

To reiterate, DLP solutions monitor data inside the network, filter activity to stop suspicious activity, provide reporting for incident response and compliance, and analyze suspicious behavior to provide context to security teams.

Different types of data loss prevention

While we just went over how a "regular" DLP solution works, there are still different solutions that work based on the perimeter they protect. As organizations generally have many security solutions in place, they don't often need an all-encompassing DLP. It's more practical to have one that suits their needs, with the type of solution they use focused on what needs to be protected. That's why we recognize four main types of DLP solutions — network, endpoint, email and cloud DLP.

Different types of data loss prevention

Network DLP

Network DLP provides visibility into data in motion, by monitoring traffic that goes in and out of an organization's network. These solutions protect the organization's network, web application, email and FTP. Usually cloud-based, network DLP solutions monitor every bit of data traffic between users and endpoints, blocking data transfer based on predefined rules which are customized for the organization and its policies. Unauthorized data transfer and malware are then prevented from travelling through the network.

Endpoint DLP

Endpoint DLP solutions provide visibility into data on, well — endpoints. These solutions monitor laptops, PCs, servers, USBs, mobile devices, workstations, just about all devices on the network. They protect data used on company devices by ensuring information isn't sent or copied to unauthorized devices, and flag any attempts to do so. Endpoint DLP can also deny certain tasks, such as transferring data to USBs.

Cloud DLP

Cloud DLP provides visibility into data that is stored and shared on cloud applications. They ensure that critical and sensitive data can't access the cloud without first being encrypted and that it is only sent to authorized cloud applications.

Email DLP

Email DLP monitors and filters email sent between users within an organization and external parties. These solutions monitor emails for certain keywords to identify phishing attacks and other types of cybercrime that use email as an entry point. It can also determine whether sensitive data is shared over email and outside the organization.

Why you should implement data loss prevention

Data loss prevention has been around for some time now. It's even been called obsolete in the past, but the amount and value of data is constantly growing, along with the risks of misuse and theft. Various trends have been pinpointed, presenting solid reasons for implementing DLP and driving its adoption throughout a number of organizations.

Insider threats

While external forces including malicious attackers, ransomware, DDoS and others pose a real and constant threat, a recent study by Verizon indicates 57% of all data breaches come from within. These insider threats are particularly dangerous in their ambiguity — when users already have access to critical data, as employees do, it's difficult to determine whether their engagement involves malicious purposes, and tech-savvy users can easily cover their tracks. This is why having a DLP solution that monitors data and its users is crucial in order to catch insider threats in time. Otherwise, they're notorious for going undetected for months, sometimes even years.

Growing attack surface

Today's organizations keep a large number of networks, software, protocols and services running, and monitoring every part can be a challenge in itself. Add the supply chain and M&As to the mix and it's easy to see why knowing whether critical data has been shared to unauthorized users or devices on each part of the attack surface sounds nearly impossible. Additionally, the attack surface is both digital and physical, and with the growing number of remote employees, BYOD practices and employees accessing their organization's network and assets from personal devices, the challenge seems even more monumental.

Monitoring data in transit inside and outside the network with a DLP solution can provide visibility into critical data leaving the organization's premises. This way it can pinpoint where in the network an attack has occurred.

Growing digital assets and data

Just as the number of tools, networks and services are growing, so are organizations' digital assets and data. Sensitive data has also expanded in scope, with more and more digital assets carrying data that could pose social, reputational, legal, financial and insurance risk if it falls into the wrong hands.

Growing number of threats and attacks

Did you know that a cyber attack occurs every 39 seconds? And as if the current pandemic wasn't scary enough, an increase of 300% in reported cybercrime since it began has been noted. All of these statistics show that malicious attackers aren't stopping anytime soon, with techniques that have evolved to challenge the sophistication of the security tools and solutions used to prevent them. There's no reason an organization shouldn't uphold information security as one of its main objectives, doing everything possible to protect its data from being misused, stolen or destroyed.

Cybersecurity skills gap

Ah, the infamous cybersecurity skills gap. Every year, we see reports of the cybersecurity skills shortage soaring, with reports citing 4 million skilled security professionals needed to close the gap. Attacks are far and wide, and without security professionals to protect organizations, tools like DLP solutions are crucial.

Stolen data sold on the dark web

Data is knowledge, and knowledge is power. And cyber criminals are out for power. Well, and money of course. Data stolen in data breaches is often sold on the dark web and distributed to individuals and groups to do with as they please. Some attackers might not even target your organization specifically, but carry out wide scope attacks to obtain the data and sell it, sometimes for thousands of dollars. After all, financial gain is one of the main driving forces for cyber criminals.

New regulations and GDPR

Yay for GDPR! Love it or hate it, new regulations are introduced all the time. Fortunately, complying with all of them is made easier with DLP solutions as they can monitor data for any compliance violation, which safeguards your organization from hefty legal fines and reputational damage.

Data loss prevention use cases

Ensuring data security grows more challenging every day, making DLP solutions an attractive prevention method. Typically, DLP solutions support organizations in compliance, intellectual property protection and data visibility.

Data loss prevention use cases


As mentioned, trends such as mandatory regulations imposed by governments including GDPR, HIPAA, PCI DSS and the like drive adoption of DLP among a wide range of organizations. These compliances lay down the regulations for securing personally identifiable information — PII and other sensitive data. If breached, organizations can face legal fines, in addition to reputational damage and the loss of customers and business.

Today's organizations wrangle with large amounts of sensitive customer data such as names, email addresses, medical and financial records, biometrics and other information that could cause them harm if obtained by malicious actors. Adopting a DLP policy and solution that monitors and controls access and engagement with such data is the first step towards not only compliance but also PII protection. After all, legal fines shouldn't be the only thing urging organizations to protect their customers.

Intellectual property

The protection of personally identifiable information and customer data might be mandated by law, but organizations have other data that needs protection too. Intellectual property (IP), trade secrets, business strategies, proprietary data, development pipelines and plans are all highly sensitive and often directly targeted by cyber criminals. Implementing a DLP solution and policy can help keep this data safe.

Data visibility

In order to protect something, you must have knowledge of its existence, its location, who has access to it and how and why it's being used. The same goes for data, and as mentioned, the data and digital assets organizations possess is growing, making full visibility into it more and more difficult. DLP solutions enhance this visibility, allowing organizations to spot insider threats and unauthorized access before any data is compromised.

Best practices for implementing data loss prevention

If you weren't already, we don't doubt that you're on the DLP bandwagon by now. However, before you adopt a DLP policy and implement a DLP solution, there are still a few best practices to observe that will optimize your use of it.

To choose the right solution for your particular organization, you need to know what it is you're protecting: is it IP or PII? Are you trying to gain visibility into your data, or to meet regulatory compliance? Once you know the main use case for a DLP, you'll more easily determine the type of DLP you'll need. Then you can move on to implementation.

Here are four key best practices for DLP implementation.

Data classification

Another step that precedes the implementation of a DLP solution is data classification. An organization should maintain visibility into all the sensitive data it owns, including how that data is transferred across the network and from one system to another, everyone who has access to it, and why it should be documented. Different types of sensitive data — PII, IP and the like should be labeled and classified separately, and all data exit points and data movement need to be monitored to spot any unauthorized access or transfer.

Executive buy-in

Data loss prevention policies and tools need to have buy-in from executives (such as the CFO and CEO) to secure the budget and resources needed for its implementation. A good way to do this is to show how DLP addresses some of the organization's main information security issues, even citing real-world data breach examples that could've been stopped with DLP.

Pinpoint your organization's security needs and bring forward a DLP solution that would meet those needs. Consider the type of DLP solution, whether it should be managed or you have the manpower to handle it, the scope of the solution, and other critical factors.

Define metrics for success

To ensure the success of your DLP policies and spot any areas needing improvement, key metrics should be determined. DLP is a continuous process, and as such should be evaluated to determine its positive outcome on an organization's security posture as well as the value it holds for the business.

Some of these metrics include:

  • Unmanaged devices, databases and data on a network: Usually, anything higher than a zero when it comes to unmanaged assets and devices indicates that your DLP policy needs work and is not performing as it should. No piece of sensitive data should be left unmonitored.
  • Faster alert response: If a DLP solution is working properly in your environment and is well-integrated with existing solutions and procedures, and your security team, there should be a noticeable decrease in response time to DLP alerts.
  • Decreased false positives: While in an ideal world security solutions would yield no false positives, that is often not the case. DLP is no different. A good indicator of a well-rounded DLP policy with a DLP tool that efficiently filters irrelevant alerts is a lower number of false positives.
  • Data classification success: One of the key pillars of DLP is data classification (coincidentally, also the first step in its implementation). A good DLP solution should be able to classify sensitive data automatically, so measuring the percentage of wrong classification will help determine how much you can "trust" your DLP solution to protect critical data.

DLP is not the be-all end-all

Okay so, you've started using a DLP solution and defined DLP policies. You're done now, right? Not in the slightest. We mentioned that DLP is a continuous process, and for it to do what it's truly supposed to— prevent data loss — it needs to be worked on continuously and improved. Your data, network, systems and users change constantly and DLP should evolve along with it, allowing you to achieve that main objective. Also, DLP shouldn't be the last man standing when it comes to information security; it's an accessory to existing security solutions and shouldn't be treated as a be-all end-all.


Safeguarding critical and sensitive data should be one of your most important security and business objectives as cyber criminals are always looking for ways to gain unauthorized access to steal it. Having a DLP solution and policies in place is a significant step in the right direction toward knowing what you need to protect and monitoring it for unauthorized access, to prevent data corruption and unwanted transfer.

While it might have been called obsolete in the past, DLP has withstood the test of time. It continues to be an important method of preventing data breaches.

Sara Jelen Blog Author

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders