With changing work habits and the shift to hybrid work environments, regulations are being updated to reflect new risks. Ann Keene, Regional Director UK & Ireland at Kingston Technology, discusses how CIOs can implement a robust DLP strategy deployable at all levels with continuous improvements and timely measurements.
Most enterprise CIOs will have a data loss prevention strategy in place, and this may now include extending security perimeters to allow for hybrid working practices. Some are choosing to ‘air gap’ data by using USB drives to transport sensitive documents when employees are working remotely. The problem with this approach, however, is that it puts data at risk of a cyberattack or theft unless the devices are encrypted.
With data breaches on the rise, adopting a data loss prevention (DLP) strategy has never been more important. Some of the biggest breaches in recent years have involved well-known names, such as LinkedIn, which in 2021 had data associated with 700 million users posted for sale on a Dark Web forum. Others have been more potentially dangerous from a personal perspective, like the University of Manchester/NHS breach in 2023 which compromised the data of 1.1 million NHS patients.
For most organisations, the loss of data relates not just to the challenges of managing customer relationships when trust has been eroded and the brand is damaged, but the hefty regulatory fines and negative commercial impact that a breach can trigger. According to the 2024 Cost of a Data Breach Report published by IBM, UK organisations paid on average £3.53 million for data breach incidents, an increase on the previous year of £320,000.
The importance of prevention
Minimising the risk of a data breach is a daily challenge for CIOs and their teams, and prevention remains the best approach. By integrating processes and security tools, companies can erect barriers to stop unauthorised data access, preventing it from being stolen or lost due to human error.
But, it is not just the responsibility of the CIO to implement and oversee best practices. Data security must be a company-wide effort which is adopted at every level. Among the essential security tools in a DLP programme, strong encryption stands out as a key to ensuring data cannot be leaked.
However, cybercriminals can exploit any weaknesses in its implementation, making meticulous attention to detail vital for success.
Data loss prevention best practices
- Assessment: Start by carrying out an assessment of the data that the company holds. By separating the data into classifications dependent on its importance, this will help to prioritise the protection of the most critical data. One way of doing this is to classify it by context – such as the source app, the data store, or even the creator – which makes it easier to track.
- Getting the C-Suite on board: Although CIOs and their teams are primarily responsible for implementing DLP, the CISO, CFO and CEO must approve the budget and approach of the programme. Presenting a compelling case that highlights the advantages for individual business units, how assets and resources can be efficiently used and the ability to address challenges and minimise risks can secure senior advocacy and smooth implementation of DLP policies.
- Set out clear goals: CIOs must clearly define their DLP objectives, whether they involve straightforward prevention, meeting regulatory compliance, IP protection, or improved data visibility. By setting out key priorities the DLP programme is more likely to be both efficient and effective in the long term.
- Taking the right approach: A well-defined approach is crucial. If the organisation starts with a project-focused strategy on specific data types, for example, such as discovering and automating the classification of sensitive or critical data, this will help to ensure consistency across all departments.
- Guidance for employees: One of the biggest causes of data breaches and loss is human error. This is why internal guidance is essential for reducing accidental data loss by employees. Advanced DLP solutions offer user prompts that notify employees when certain data use violates company or regulatory policies or when their activity is risky, such as forwarding business emails outside the corporate network or uploading critical files to unauthorised cloud services.
- Monitoring data: Understanding how data is used within the organisation is essential for CIOs. Monitoring data in motion helps identify risky behaviour, especially concerning sensitive files. In a hybrid working environment, data is vulnerable during transit, when used on unprotected endpoints, or unsecured public Wi-Fi – a DLP programme must account for and address these increased risks.
- Establishing KPIs: Metrics are vital for measuring the success of any strategic programme. Establish DLP KPIs in advance with support from the entire company. Regularly assessing these KPIs will allow for enhancements and provide an opportunity to demonstrate the value of the DLP programme.
- Investing in the right tools: Preventing data loss means specifying and using the right tools and a great way to do this without affecting existing workflows is by investing in hardware-encrypted storage. Available in various models to suit organisations of all sizes, these drives are important in strengthening defences and bolstering DLP programmes.
Growing with the evolution of data
As the amount of data grows and attack surfaces expand, DLP is evolving to include managed services, cloud storage, functionality behaviour analysis, insider threat protection and advanced threat protection. With changing work habits and the shift to hybrid work environments, regulations are being updated to reflect new risks. As a result, the need for personal information protection, compliance, IP protection and data visibility – the three pillars of a DLP programme – becomes increasingly urgent. This means that data loss prevention has become a business-critical operation that falls into the CIO’s remit. Ensuring the success of a DLP programme requires ongoing commitment and constant adjustments as business processes and data change.
The secret behind effective DLP, therefore, is continuous improvements and timely measurements – taking a maintenance approach – designed to keep risks at bay. The ability of CIOs to demonstrate that DLP has mitigated data loss risks or resolved cyber incidents will provide valuable proof of its effectiveness.
