Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
DLP

The Ultimate Guide to Data Loss Prevention

  • By Andrew Webb
  • 24 November 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

What is DLP?

Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data.

Enter data loss prevention (DLP). 

Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimize the risk of confidential or business-critical data leaving an organization.

How much business-critical data do you handle?

Different people within your organization handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost. 

 

Take a moment to ask yourself if your business as a whole routinely handles any of the following:

  • company IP
  • credit card details
  • medical records
  • insurance details
  • legal case notes
  • sensitive financial data
  • personally identifiable information (PII). 

Chances are, if your business has customers or clients, you’re handling business-critical sensitive data. 

 

Why email is your greatest DLP threat 

Now let’s consider how data gets ‘lost’ in the first place…

There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.

“85% of data breaches are caused by human error ”
Source: Verizon’s 2021 Data Breach Investigations Report

Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government. 

While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today. 

In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.

 

 

How big is your problem? How big is your firm?

According to data from Tessian’s own platform, employees send nearly 400 emails a month. If your organization has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen..

We don’t want to fearmonger (because Fear, Uncertainty, and Doubt (FUD) doesn’t fudging work…) but it’s clear email remains your number one threat vector. 

The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake..In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file.

This is why, in 2021, an overwhelming 85% of data breaches involved human error.

 

Statistic: Number of sent and received e-mails per day worldwide from 2017 to 2025 (in billions) | Statista
Find more statistics at Statista

 

Insider threats (and how to spot and stop them)

You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally.

"the call is from inside the house" taken from When A Stranger Calls(1979)

Insider threats are an organization’s biggest hidden security problem.

With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.

Yet our State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job. 

So what can be done? Well firstly, you need to recognize what data exfiltration looks like. 

There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).

 

Spotting malicious insider threats

So how do you recognize if you have malicious or negligent staff within your organization? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.

Spotting negligent insider threats

Negligent staff meanwhile might repeatedly fall for phishing attacks, or fail to comply with basic security policies such as consistently misdirecting emails, or miss attaching files. There could be several reasons for this, from burnout, to boredom. 

Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, payslips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.

Stopping Insider Threats 

What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss.With negligent staff, on the other hand, it can help to have a build up of data over time to inform your actions. 

Exfiltration types and methods

What is Data Exfiltration? Tips for Preventing Data Exfiltration

Webinar: How to Reduce Data data Exfiltration by 84% Within 30 Days

How to Keep Your Data Safe in The Great Resignation

Solutions Brief: Detect Insider Threats with Human Layer Security

The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organization’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.

The repercussions of a breach

Insider or external, a data breach can create significant fallout for your organization. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms.

Examples of costs of breaches

There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare. 

 

There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who have to now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organization suffers – this can last years. 

When we asked security leaders what the biggest consequence of a breach is, here’s what they replied. See more at Why DLP Has Failed and What the Future Looks Like.

Every year, IBM publishes their Cost of a Data Breach report. You can get key findings from the 2021 version, as well as the report itself below, but the key findings regarding breach costs are:

  • Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report 
  • There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years.
  • The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million

The problems with legacy DLP

Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added rules and a host of other technical measures… but they’re just not up to the job anymore.

Watch now: DLP Has Failed The Enterprise. What Now?

Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example. 

Blacklisting: Security teams create a list of non-authorized email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorized communications.

Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form.

Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked

The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.

How to bend not break the rules

  • -51% of staff say security tools and software impede their productivity at work
  • -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround

Read: Tessian’s State of Data Loss Protection Report

But workarounds aren’t the only problem with rules…

Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behavior and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred. 

There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones. 

And with most risks to data security actually coming from within an organization, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. 

The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams. 

Is it time to re-think your DLP strategy?

It’s clear that traditional DLP can’t prevent all data loss. 

This is where Tessian comes in. 

Tessian’s Human Layer Security platform automatically detects accidental data loss, malicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats.

Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t.

They believe their email security posture is extremely effective at alerting the organization to potential attacks/threats from users’ risky behaviors or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”

“Should you rethink your DLP strategy? The short answer is yes.”

We’re seeing more and more industry pioneers explore this option, layering a tool like Tessian on top of Microsoft 356’s native tools. We take a deep dive into this new approach in our recent webinar ‘DLP Blindspots: Next Gen DLP’.

Ultimately, you know what stage of the journey your organization is on. But if you need further resources to comprehensively compare Tessian’s Human Layer Security alongside legacy DLP, Microsoft 365 DLP capabilities, legacy file encryption, and network and Perimeter Security, we’ve covered all that in forensic detail in this white paper.

In it, you’ll learn the pros and cons of different email security solutions, and how they stack up against Human Layer Security. This will help you evaluate a solution that works for you, and that best protects sensitive data in your organization.

Read now: Human Layer Security vs. Legacy Email Security Solutions white paper

DLP and Microsoft 365

So what does a smart, fit-for-the-21century DLP solution look like? Well, many organizations are now retiring their SEGs in favor of a Microsoft 365 solution, with Tessian layered on top as an EDR. 

Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors. 

Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people

Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.

More on Microsoft 365

How Tessian helps secure your Human Layer

We’ve come to the point where you’re considering how best to stop DLP in your organization. From working with our customers over the years, we’ve found that it’s best to think the following three ways 

Research

You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions. This is also the time to consult your network, join those webinars and read those whitepapers. 

Rethink

Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian. Perhaps you want to stay with a rule based DLP but are looking for something smarter? In which case Tessian Architect might be the right solution. 

Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian. So now’s the time to rethink your training and awareness processes too.

Resource 

This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer.

Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine

Andrew Webb Senior Content Manager