By Nate Lord, Digital Guardian, May 14, 2015

Due to their size, enterprises have many security issues to consider when establishing a comprehensive data security strategy. One security need that is especially critical for larger companies – because they typically have many employees and large volumes of sensitive data – is proper data leak prevention.

As a provider of data loss prevention solutions to many enterprise companies, we wanted to learn more about some of the most common (and avoidable) mistakes companies make when using data leak prevention tools. To do that, we asked a group of data security experts this question:

“What’s the biggest mistake companies make in purchasing and implementing data leak prevention tools?”

See what our experts had to say below:

Paul Hill is a Senior Consultant with SystemExperts, an IT compliance and network security consultancy.

The biggest mistakes that companies often make when purchasing and implementing data leak/loss prevention (DLP) fit into the following categories:

  • inadequate risk analysis prior to product selection
  • inadequate investment of time in configuration and tuning
  • failure to set expectations with business units
  • failure to work closely with business units when tuning the configuration

Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web applications, and even paper copies.

The risks of each mechanism should be assessed to then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.

DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this, many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.

Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.

DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting expectations and working with the business units to tune the system so that normal processes are not disrupted.

To read what the other experts say click here.