Blog/Infosec 101/

Data loss prevention, security, and best practices

Nov 12, 2020

loss prevention

A whopping 15.1 billion records were exposed in 2019, causing companies lawsuits, revenue losses, and a damaged reputation. Cyberattacks are not the main culprit though, as many incidents happen inside organizations. Whether a simple human error or an intentional wrongdoing, it can cost millions.

Data loss prevention is a complex process, but it will mitigate the risk of finding yourself in the middle of a crisis without a clear survival plan.

What is data loss prevention (DLP)?

Data loss prevention is a set of tools and methods to ensure that your company’s data is not lost, misused, altered, or accessed by third parties. It encompasses both risk management software (firewalls, antiviruses, intrusion detection systems) and employees’ cyber hygiene.

Data loss prevention monitors data:

  • in use;
  • in transit;
  • at rest in your data storage;
  • on computers, smartphones, and other devices.

Companies depend on international data protection laws, such as the GDPR (General Data Protection Regulation) in the EU or HIPAA (Health Insurance Portability and Accountability Act) in the US. Businesses failing to comply with data regulations might face penalties.

In 2018, British Airways suffered a data breach that exposed sensitive information of 500,000 customers, including names, emails, credit card numbers, CCV codes, and expiration dates. After two years of legal battles, the Information Commissioner’s Office has fined the airline £20 million.

We also recommend learning about local encryption laws as some countries are trying to tighten them.

Why is data loss prevention important?

Reputation. A single data breach could destroy your reputation and, with it, your business. The consequences of lost data could haunt you for years, especially since articles about breaches are available online forever. If a customer leaves your company because of poor data security, it might be very hard to convince them to come back. While reputation is difficult to monetize, it's the most valuable asset your business has.

Liability. Your customers put their trust in you. If you’re an online retailer collecting their credit card details, names, and addresses, people expect you to keep that information safe. It’s not the fines that should force you to take security seriously, but the obligation you owe to your customers.

Financial loss. An average data breach could cost a company up to $3.86 million. However, in some countries, the expenses could be much greater. For example, the US tops the list, with $8.64 million. The severity of the financial implications depends on the company's size, the scale of the breach, and how quickly it was detected. In the worst-case scenario, considerable expenses could lead to bankruptcy.

Lawsuits. While it’s important to comply with data regulation laws, it's not only authorities you have to worry about, as customers can also sue you for losing their data. Lawsuits cost time and money — for smaller companies this might be an unbearable burden.

How does data get lost?

There are thousands of ways you can lose data, from computer viruses to insider threats. As an organization, you’re more vulnerable than you think. Let’s explore how your data can get lost.

Insider threat

Unethical employees, business associates, contractors, or former colleagues can be even more dangerous than hackers. They’re already inside your company’s network, so they know your secrets and where to find them.

In 2020, Shopify, an e-commerce platform, revealed that two members of their customer support team obtained the personal information of 200 merchants. The stolen data included names, emails, addresses, and order details. Shopify was lucky to catch the perpetrators before they used customers’ information, but you can imagine the scale of this breach had they not been stopped.

Estimates suggest that 48% of all insider incidents are intended to cause harm, while 43% are accidental.

Human error

Even tech-savvy employees make mistakes, and no company is immune to human error. People can accidentally delete files, connect an infected flash drive to a computer, share credentials with hackers, or fall victim to social engineering. Even a spilled cup of coffee can destroy hardware with important files.

In 2015, a clinic in London was fined £180,000 after leaking the details of almost 800 patients who had visited HIV clinics. The leak was caused by a simple mistake: instead of adding email addresses to the “BCC” field, an employee added them to the “TO” field. As a result, everyone on the list could see the full names and emails of other recipients.

Natural disasters

Fires, floods, hurricanes, earthquakes, or even a fallen tree can destroy your servers and cause data loss. Natural disasters strike when you least expect them, and there’s nothing you can do about that. With the changing climate, the number of affected organizations will also grow.

Natural disasters hit smaller companies the most. Up to 60% of those never reopen after a major catastrophe.

Hackers

Ransomware attacks increased by 41% in 2019, and 205,000 organizations were locked out of their files. Unless you pay ransom, your data could be lost forever. And even if you do, you can never be sure that hackers will decrypt the information.

Perpetrators are getting better at impersonating institutions, your coworkers, or even well-known brands. These days, companies receive phishing emails every day. And when you open a phishing email, it can lead to anything from installing malware on your computer to completely losing control of your data.

Technical problems

Broken hardware, a misconfigured database, or outdated software might cause you all kinds of problems. Technical issues affect smaller companies more severely than enterprises, as the former rarely have dedicated IT administrators who can solve problems as soon as they occur.

Data loss prevention: best practices

Educate your employees

Every member of the company has to know the security risks and how to handle them. Regular employee training is strongly recommended to remind them about common social engineering tactics, the importance of strong passwords, and software updates.

It takes one person to compromise the data of the entire organization. But you can avoid that with proper training.

Encrypt data

Your data is never safe unless it’s encrypted. Even if your sensitive files end up in the wrong hands, nobody will be able to view them.

NordLocker is an easy-to-use app that allows you to encrypt any type of data and securely store it on your computer or in the cloud. You can securely share your encrypted files with coworkers without worrying about the data being intercepted while in motion or ending up in the wrong mailbox.

Every new user gets 3GB of free storage in the NordLocker cloud.

Monitor your company’s network

Employees should have access only to those resources they need to perform their tasks. And it’s important to keep logs in case there’s an incident. The network should be monitored at all times to detect and eliminate threats as soon as they emerge. This includes alerts about any suspicious activity, overloaded servers, or network connections.

Identify sensitive data

Some data is more valuable than other data (our “What is sensitive data?” article will explain this in detail). Get rid of any data you don’t need — it’s no use storing records that are no longer relevant.

Regularly conduct penetration tests

Rather than waiting for cyberattacks to happen, you can test your system and imitate an actual attack. This way, you can find out whether your company’s DLP processes are good enough and identify the weak points. Prevention is about being one step ahead, and penetration testing is crucial for data loss prevention.

Don’t trust your vendors

When you purchase data loss prevention software, ask as many questions as possible. You need to find out how the vendor is handling your data, who’s responsible, and what measures they are taking to enhance your security.

Data loss prevention is a shared responsibility between the company, its employees, the software vendors, and partners. If one party fails to do its job, it can compromise the whole organization. With the right tools and attitude, you can prevent your business from going down the rabbit hole in case something bad happens.

Get 3GB of cloud storage for free and secure your files!

Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.