Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Email DLP

What is Data Loss Prevention (DLP)? Complete Overview of DLP

Thursday, March 17th, 2022

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

  • What is Data Loss Prevention (DLP)?

    Data loss prevention (DLP) is a strategy that businesses use to keep their data safe. DLP solutions detect and flag or block any event that might result in the loss, theft, or exfiltration of a company’s data.

How does DLP work?


Put simply, DLP software monitors different entry and exit points (examples below) to “look” for data and keep it safe and sound inside the organization’s network.


A properly configured DLP solution can detect when sensitive or important data is leaving a company’s possession, alert the user and, ultimately, stop data loss.


A DLP solution has three main jobs. DLP software:

  • Monitors and analyzes data while at rest, in motion, and in use.
  • Detects suspicious activity or anomalous network traffic.
  • Blocks or flags suspicious activity, preventing data loss.


Those entry and exit points we mentioned earlier include:

  • Computers
  • Mobile devices
  • Email clients
  • Servers
  • Mail gateways


Different types of DLP solutions are required to safeguard data in these environments.


What are the different types of DLP?


DLP software can monitor and safeguards data in three states:

  • Data in motion (or “in transit”): Data that is being sent or received by your network
  • Data in use: Data that a user is currently interacting with
  • Data at rest: Data stored in a file or database that is not moving or in use


There are three main types of DLP software designed to protect data in these different states.


Network data loss prevention


Network DLP software monitors network traffic passing through entry and exit points to protect data in motion. Network DLP scans all data passing through a company’s network. If it’s working properly, the software will detect sensitive data exiting the network and flag or block it while allowing other data to leave the network unimpeded where appropriate. Network administrators can customize network DLP software to block certain types of data from leaving the network by default or—by contrast—whitelist specific file types or URLs.


Endpoint data loss prevention


Endpoint DLP monitors data on devices and workstations, such as computers and mobile devices, to protect data in use. The software can monitor the device and detect a range of potentially malicious actions, including:


  • Printing a document
  • Creating or renaming a file
  • Copying data to removable media (e.g. a USB drive)


Such actions might be completely harmless—or they might be an attempt to exfiltrate confidential data. Effective endpoint DLP software (but not all endpoint DLP software) can distinguish between suspicious and non-suspicious activity.


Email data loss prevention


Email is the primary threat vector for most businesses, and the threat vector most security leaders are concerned about locking down with their DLP strategy.


Email represents a potential route straight through your company’s defenses for anyone wishing to deliver a malicious payload. And it’s also a way for insiders to send data out of your company’s network—whether by accident or on purpose.


Email DLP can therefore protect against some of the most common and serious causes of data loss, including:

  • Email-based cyberattacks, such as phishing
  • Malicious exfiltration of data by employees (also called insider threats)
  • Accidental data loss (for example, sending an email to the wrong person or attaching the wrong file)

Does my company need a data loss prevention solution?


Almost certainly. DLP is a top priority for security leaders across industries and DLP software is a vital part of any organization’s security program.


Broadly, there are two reasons to implement an effective data loss prevention solution:


  1. Protecting your customers’ and employees’ personal information. Your business is responsible for all the personal information it controls. Cyberattacks and employee errors can put this data at risk.
  2. Protecting your company’s non-personal data. DLP can thwart attempts to steal intellectual property, client lists, or financial data.


Want to learn more about how and why other organizations are leveraging DLP? We explore employee behavior, the frequency of data loss incidents, and the best (and worst) solutions in this report: The State of Data Loss Prevention.


Now let’s look at the practical ways DLP software can benefit your business.


What are the benefits of DLP?


There are 4 main benefits of data loss prevention, which we’ll unpack below:

  1. Protecting against external threats (like spear phishing attacks)
  2. Protecting against internal threats (like insider threats)
  3. Protecting against accidental data loss (like accidentally sending an email to the wrong person)
  4. Compliance with laws and regulations


Protecting against external threats


External security threats are often the main driver of a company’s cybersecurity program—although, as we’ll see below, they’re far from the only type of security threat that businesses are concerned about.


Here are some of the most significant external threats that can result in data loss:

  • Phishing: Phishing is the most common online crime—and according to the latest FBI data, phishing rates doubled in 2020. Around 96% of phishing attacks take place via email.
  • Spear phishing: A phishing attack targeting a specific individual. Spear phishing attacks are more effective than “bulk” phishing attacks and can target high-value individuals (whaling) or use advanced impersonation techniques (CEO fraud).
  • Ransomware: A malicious actor encrypts company data and forces the company to pay a ransom to obtain the key. Cybercriminals can use various methods to undertake cyberattacks, including malicious email attachments or links and exploit kits.


DLP can prevent these external threats by preventing malicious actors from exfiltrating data from your network, storage, or endpoints.


Protecting against internal threats


Malicious employees can use email to exfiltrate company data. This type of insider threat is more common than you might think.


Verizon research shows how employees can misuse their company account privileges for malicious purposes, such as stealing or providing unauthorized access to company data. This problem is most significant in the healthcare and manufacturing industries.


Why would an employee misuse their account privileges in this way? In some cases, they’re working with outsiders. In others, they’re stealing data for their own purposes. For more information, read our 11 Real Examples of Insider Threats.


The difficulty is that your employees often need to send files and data outside of your company for perfectly legitimate purposes.


Thankfully, next-generation DLP can use machine learning to distinguish and block suspicious activity—while permitting data to leave your network where necessary.


Preventing accidental data loss


Human error is a widespread cause of data loss, but security teams sometimes overlook it.


In fact, misdirected emails—where a person sends an email to the wrong recipient—are the most common cause of data breaches, according to the UK’s data protection regulator.


Tessian platform data bears this out. In organizations with 1,000 or more employees, people send an average of 800 misdirected emails every year.


Misdirected emails take many forms. But any misdirected email can result in data loss—whether through accidentally clicking “reply all”, attaching the wrong file, accepting an erroneous autocomplete, or simply spelling someone’s email address wrong.


Compliance with laws and regulations


Governments are more and more concerned about data privacy and security.  Data protection and cybersecurity regulations are increasingly demanding—and failing to comply with them can incur increasingly severe penalties.


Implementing a DLP solution is an excellent way to demonstrate your organization’s compliance efforts with any of the following laws and standards:

  • General Data Protection Regulation (GDPR): Any company doing business in the EU, or working with EU clients or customers, must comply with the GDPR. The regulation requires all organizations to implement security measures to protect the personal data in their control.
  • California Consumer Privacy Act (CCPA): The CCPA is one example of the many state privacy laws emerging across the U.S. The law requires businesses to implement reasonable security measures to guard against the loss or exfiltration of personal information.
  • Sector-specific regulations: Tightly regulated sectors are subject to privacy and security standards, such as the Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare providers and their business associates, and the Gramm-Leach-Bliley Act (GLBA), which covers financial institutions.
  • Cybersecurity frameworks: Compliance with cybersecurity frameworks, such as the NIST Framework, CIS Controls, or ISO 27000 Series, is an important way to demonstrate high standards of data security in your organization. Implementing a DLP solution is one step towards certification with one of these frameworks.


Bear in mind that, in certain industries, individual customers and clients will have their own regulatory requests, too.


Do DLP solutions work?


We’ve looked at the huge benefits that DLP software can bring your organization. But does DLP actually work? Some, but not all.


Effective DLP software works seamlessly in the background, allowing employees to work uninterrupted, but stepping in to prevent data loss whenever necessary. Likewise, they’re easy for SOC teams to manage.


Unfortunately, legacy features are still present in some DLP solutions, that either fail to prevent loss effectively, create too much noise for security teams, or are too cumbersome to enable employees to work unimpeded. Let’s take a look at some DLP methods and weigh up the pros and cons of each approach.


Blacklisting domains


IT administrators can block certain domains associated with malicious activity, for example, “freemail” domains such as or Blacklisting entire domains, particularly popular (if problematic) domains, is not ideal. There may be good reasons to communicate with someone using a freemail address—for example, if they are a customer, contractor, or a potential client.


Tagging sensitive data


Some DLP software allows users to tag certain types of sensitive data. For example, you may wish to block activity involving any file containing a 16-digit number (which might be a credit card number). But this rigid approach doesn’t account for the dynamic nature of sensitive data. In certain contexts, a 16 digit number might not be associated with a credit card. Or an employee may be using credit card data for legitimate purposes.


Implementing rules


Rule-based DLP uses “if-then” statements to block types of activities, such as “If an employee uploads a file of 10MB or larger, then block the upload and alert IT.” The problem here is that, like the other “data-centric” solutions identified above, rule-based DLP often blocks legitimate activity and allows malicious activity to occur unimpeded.


Machine learning


Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Here’s how it works: machine learning technology learns how people, teams, and customers communicate and understands the context behind every interaction with data.


By analyzing the evolving patterns of human interactions, machine learning DLP constantly reclassifies email addresses according to the relationship between a business and customers, suppliers, and other third parties.