What Is DLP?

DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks extraction of sensitive data, organizations use it for internal security and compliance with regulations like HIPAA.

As cyber threats continue to increase in sophistication and volume, it is vital for organizations to be proactive in countering them. Data Loss Prevention (DLP) enables businesses to detect data loss, as well as prevent the illicit transfer of data outside the organization and the unwanted destruction of sensitive or personally identifiable data (PII). It is also used to help organizations with data security and ensure they comply with regulations like the California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA).

The terms "data loss" and "data leakage prevention" are often used interchangeably, but DLP security enables organizations to defend themselves against both. DLP allows businesses to:

  1. Identify sensitive information across multiple on-premises and cloud-based systems
  2. Prevent the accidental sharing of sensitive data
  3. Monitor and protect sensitive information
  4. Educate users on how to stay compliant

Why You Need DLP

The threat of data breaches—incidents where confidential, protected, or sensitive data is stolen, used, or viewed by an unauthorized individual—has rapidly increased as the world became more digital. There were more than 3,800 breaches in the first half of 2019 alone. DLP is a crucial tool in helping businesses protect their data.

Personally Identifiable Information (PII)

PII is data that could potentially identify an individual or distinguish them from another person. This includes end-users’ email addresses, mailing addresses, and Social Security numbers, as well as IP addresses, login IDs, social media posts, and biometric and geolocation information. There are stringent regulations in place to protect PII, such as GDPR, that grant people more rights around how companies handle their data and impose heavy fines for noncompliance and data breaches.

DLP security enables businesses to classify, identify, and tag sensitive data and monitor activities and events surrounding it. It also provides the reporting capabilities that let organizations complete compliance audits.

Intellectual Property (IP)

Intellectual property is highly sensitive data, such as trade or state secrets, that could cause considerable financial and reputational risk if lost or stolen. This information is important to businesses and highly lucrative to hackers who will go to extra lengths to steal it.

DLP security uses context-based classification that can categorize data considered as IP in structured and unstructured forms. Businesses can put policies and controls in place to provide extra protection against this type of data.

HIPAA Compliance

HIPAA places extensive data security requirements on all businesses that have access to, process, and store any protected health information. HIPAA defines guidelines, policies, and procedures for maintaining the privacy and security of individually identifiable health information. It also outlines offenses and civil and criminal penalties for failing to protect this data.

Like GDPR, DLP is vital for organizations that need to comply with HIPAA. It allows them to identify, classify, and tag data that is covered by the HIPAA regulation and ensure end-users are protected.

How DLP Works

DLP systems protect businesses’ data by identifying sensitive information, then using deep content analysis to detect and prevent potential data leaks. This content analysis uses methods like keyword matches, regular expressions, and internal functions to recognize content that matches a company’s DLP policy. As a result, businesses can identify, monitor, and automatically prevent the theft or exposure of sensitive information such as credit card numbers and PII.

Define Sensitive Data

The first step in deploying DLP is for businesses to define the sensitive data they want to protect and build a DLP policy around. This could be credit card details, email addresses, and Social Security numbers, or simply a list of names in a spreadsheet. 

A DLP policy contains: 

  1. Locations and systems where data needs to be protected
  2. When and how to protect data
  3. Rules that define sensitive data and actions when a security risk is discovered
  4. Conditions that assign different actions to different risk levels

Take a Proactive Approach

Simply having a DLP solution in place is not enough to keep attackers at bay. Businesses need to monitor user activity and protect sensitive data when it is at rest, in use, and in motion. 

  1. Data in motion: Also referred to as data in transit, this is data that is actively moving from one location to another, either over the internet, between networks, from a local storage device to the cloud, or through a private network. Data can often be less secure while in motion, so it is vital to have effective data protection measures in place.
  2. Data in use: Data that is currently being accessed, erased, processed, updated, or read by a system is considered in use. This includes information that is stored or processed in databases, CPUs, or RAM, such as a user requesting access to transaction history in their online banking account. 
  3. Data at rest: This is data that is not actively moving between devices or networks and is archived or stored on a device or hard drive. Data at rest is considered less vulnerable than data in motion, but it can be considered a more valuable target by hackers. It is therefore important to have security measures in place to prevent cybercriminals from gaining access to it.

Detect and Respond in Real-Time

DLP uses several methods to detect sensitive data, but the most common is regular expression pattern. This analyzes content for common patterns, such as 16-digit credit card numbers or nine-digit Social Security numbers, alongside indicators like the proximity of certain keywords. 

For example, a Visa credit card has 16 digits, but not every 16-digit number will be a credit card number. So DLP performs a checksum calculation to confirm whether the numbers match the patterns of credit card brands. It also looks for the existence of keywords like "VISA" or "AMEX" in proximity to dates that could be a credit card expiration date to decide whether sensitive information is at risk.

When a violation is discovered, DLP remediates it by sending alerts, encrypting data, and other actions that prevent users from accidentally or maliciously sharing sensitive information. It also provides reports that enables businesses to meet compliance and auditing requirements, as well as identify areas of weakness.

Solutions like security information and event management (SIEM) and intrusion prevention system (IPS) also offer similar functions that help businesses to identify suspicious movement and alert IT teams of a potential breach.

Types of Data Threats

Cybercriminals deploy a wide range of hacking methods that range in simplicity and sophistication. Common types of data threats include:


Extrusion is the act of cybercriminals targeting and attempting to steal sensitive data. They try to penetrate businesses’ security perimeters using techniques like code injection, malware, and phishing to gain access to and steal sensitive data. 

WannaCry was dubbed the biggest malware attack in history after it infected 230,000 computers in 150 countries in May 2017. Attackers targeted a vulnerability in older versions of Windows, then encrypted files and demanded a ransom fee in exchange for unlocking them.

Insider Threats

An insider threat is a data breach that comes from within an organization. The malicious insider could be a current or former employee, a contractor, or business associate that has sensitive data or information about the organization’s security practices and systems. The insider either abuses their own permissions or compromises the account of a user with higher privileges and attempts to move sensitive data outside the organization. 

In 2016, UK technology firm Sage was the victim of an insider threat breach after an employee used an internal login to access the data of between 200 and 300 customers without permission. The breach was relatively small and it has not been revealed what data was affected, but the impact of the attack was proven by Sage’s shares falling by 4% in the aftermath.

The credit card data breach of Target in 2013 is a good example of the financial and reputational risk of insider threat attacks. The attack, which impacted 41 million consumers and cost Target $18.5 million, was caused by a third-party vendor taking critical systems credentials outside of a secure use case. This enabled hackers to exploit a vulnerability in Target’s payment systems, gain access to its customer database, install malware, and steal customers’ PII.

DLP can prevent such risks by providing businesses with comprehensive visibility of file transactions and user activity across their IT environment. It enables businesses to keep files for as long as is required to protect data and compliance requirements, even when an employee has left the organization. DLP also allows file recovery capabilities that enable organizations to recover from malicious or accidental data loss.

Unintended Exposure

Data breaches can also be caused by unintended or negligent data exposure. This typically occurs as a result of inadequate employee data procedures, in which employees either lose sensitive information or provide open access to their account or data. It can also be caused by businesses not putting appropriate access restrictions in place on organizational policies.

A breach of cybersecurity firm RSA in 2011 compromised 40 million employee records after users clicked on emails sent from targeted phishing attacks. The attack came from two hacker groups within a foreign government pretending to be trusted colleagues. When employees clicked on the emails, the hackers gained access to systems and compromised SecurID authentication tokens. 

DLP’s content analysis engine enables businesses to identify when PII and other sensitive information are potentially at risk of being shared externally. They can then take action by logging the event for auditing, displaying a warning to the employee that could unintentionally be sharing the information, or actively blocking the email or file from being shared.

DLP Security

A good DLP product is vital for businesses, with data volumes exploding to exponential levels and cybercriminals deploying increasingly sophisticated attack methods. It is crucial to ensure that business-critical, sensitive data is secure at all times, no matter where it is located.

FortiGate is a comprehensive security product that provides DLP, as well as next-generation firewall (NGFW)SD-WAN, and more. It furnishes businesses with everything they need to keep their data and users secure and prevent costly data loss incidents. Discover how Fortinet can keep your business secure. Protect Your Data with FortiGate NGFWs.