Data Loss Prevention (DLP) is a set of security strategies and technologies that organisations use to prevent the loss of sensitive data. In this article we will take a closer look and what causes it and how we can protect against it, particularly in Google Workspace.
What can cause data loss?
Data loss can occur for a variety of reasons, including:
- Human error: This can include employees accidentally deleting or emailing sensitive data to the wrong person.
- Malicious attacks: This can include hackers stealing confidential information and sensitive content from organisations’ computer systems. A well-protected Google Workspace instance is very difficult to attack.
- Hardware failures: Although not particularly common, devices can fail and data stored on your hard drive can be irretrievably lost. Cloud storage options. even as simple as storing your files on Google Drive, have an undeniable advantage over hard drives.
- Natural disasters: By far the least frequent cause of data loss, but also the most difficult (or impossible) to prevent. This includes floods, fires, and earthquakes destroying data centres and other storage facilities.
What are the consequences of data loss?
I don’t think anyone needs convincing that losing data is a bad thing. But unlike forgetting a password and having to reset it, companies are in charge of more sensitive content and its loss can be far more costly. Data loss can have a significant impact on organisations, including:
- Financial losses: This can include the cost of replacing lost data (if it is even replaceable), as well as the cost of fines or penalties for violating data protection laws.
- Regulatory fines: Compliance rules may be quite strict when it comes to e.g. personally identifiable information and how to prevent data leaks.Organisations that fail to safeguard sensitive data may be subject to fines from government regulators.
- Damage to reputation: If sensitive data is leaked, it can damage an organisation’s reputation. It takes a long time to rebuild trust with your customers and partners.
- Loss of competitive advantage: Sensitive data can give organisations a competitive advantage. If that data is lost, it can give competitors an edge.
Data Loss Prevention strategies
Organisations can implement a variety of DLP strategies to protect their data, including:
- Data encryption: this involves scrambling data so that it cannot be read by someone unauthorised.
- Access controls: This involves restricting access to sensitive data to authorised individuals only.
- Data loss prevention software: you can use it to monitor and control how data is accessed, used, and shared.
- Employee training: employees should have sufficient knowledge on how to store and safeguard sensitive information.
- Security audits: Organisations should regularly audit their security systems and procedures to identify and fix vulnerabilities. If you want to make sure your company data is 100% secure, you can order a professional audit where our security experts check for 150 risk points in your Workspace instances.
Top 6 security tips for everyday users
There is also a lot you can do yourself to keep your data safe. Here are some tips:
- Updates – Keep your software up to date. This includes operating systems, applications, and security software. Outdated software can have vulnerabilities that are easy to exploit.
- Passwords – Use strong passwords and change them regularly. Strong passwords are difficult to guess and users should change them at least every 90 days.
- Caution and common sense – Be careful about what you click on in emails. Phishing emails can trick users into clicking on malicious links or attachments. If you receive an email from someone you don’t know, don’t click on any links or open any attachments.
- Security software – You can also use a firewall and antivirus software. A firewall can help to prevent unauthorised access to your computer, and antivirus software can help to shield your computer from malware. Alternatively, you can install an operating system with built-in protections against viruses, ransomware, and phishing, like Chrome OS.
- Back-ups – It goes without saying that regardless of your security measures, data needs to be backed up regularly. This will help you to recover if your data.
- Education – Almost all security incidents carry a human component. Which is a polite way to say that it is usually a human error that leads to data loss. You need to educate your employees about data security. Your employees should be aware of the risks of data loss and how to protect sensitive data.
What are Data Loss Prevention rules?
Even with all the common sense safeguards in place, you still need to protect confidential information across your Google Workspace instance. By applying Data Loss Prevention (DLP), you can create and enforce content control rules that dictate what users can share in files outside the organisation. DLP provides control over what users can share and prevents unintentional disclosure of sensitive information (e.g., credit card numbers, personal identification numbers).
Google has made over 100 security rules available within its Data Loss Prevention policy that developers can easily deploy. “For instance, these rules can detect personal identity numbers or credit card numbers as sensitive data and therefore prevent infringing upon the regulation in the country or region,” explains Maciej Wojnarowicz, Support Specialist at FOTC.
He also pointed to the fact that many organisations have outdated access policies, a fact that becomes obvious during security audits. “Sometimes we perform an audit and discover that 14 out of 15 admins have super admin privileges. Such settings are dangerous and they need changing,” Maciej said.
First steps with DLP
In order to set up a DLP rule you need super administrator privileges. This is one of the reasons why the super admin role is very powerful. It needs to be reserved only for the select few trusted tech experts. Find out more more about the admin role in Google Workspace.
In the administrative console for packages that have the DLP feature, statistics related to data protection on Drive are available. These statistics include information about the types of data (from predefined templates) detected in existing files, the quantity of such files and how many of them are shared.
Based on these results, administrators receive recommendations in the console for ready-made rules that can help control what happens with such files, such as blocking their sharing or sending notifications. These suggested rules can be further edited to better suit the organisation’s needs.
DLP use cases
A super admin can configure DLP rules to:
- verify how the existing sensitive content in Drive is used;
- warn users when they attempt to share confidential content outside the domain;
- prevent sharing of sensitive data with external users;
- alert admins about DLP violations;
- investigate incident details using rule violation information to prevent data loss in the future.
How DLP rules work
Defining DLP rules involves specifying which content is confidential and requires protection (this applies to My Drive and shared drives).
Google has a long list of predefined types of information that can be scanned for and flagged as sensitive. For instance, for the UK, the list encompasses:
- Taxpayer Identification Number
- Driver’s License Number
- National Health Service (NHS) Number
- National Insurance Number (NINO)
- Scotland Community Health Index Number (CHI number)
DLP rules apply across different document file types, both to data on Google Drive as well as messages sent via Gmail and chat. With OCR functionality, DLP can also be applied to images and pictures. So it’s not just Docs, Sheets and Slides that will be scanned by DLP rules. The protection will extend to compressed file types and even custom file types, except for video and audio.
The DLP feature scans content for instances of DLP rule violations, triggering DLP incidents. When DLP scans reveal rule violations, the system initiates actions such as alerts in the admin console.
In addition to reviewing suggested Drive rules, it’s essential to create DLP rules for Gmail and Chat as well. This will help secure company data from leaks through email or chat messages.
Apart from predefined templates that allow for the detection of pre-defined data types like phone numbers, bank account numbers, or legal documents, admins are provided with tools to create their own patterns for detection. For this purpose, regular expressions, word lists, text strings, and their combinations can be utilised. If you want to find out more about it, take advantage of our ever expanding list of webinars available for free in our Knowledge Base.