Below are highlights from the July 16th virtual round-table discussion entitled: “Data Loss Prevention: Survey Results and Peer Discussion”.
Speakers: @Marcos Marcal (Information Security & Risk Manager at Nutter McClennen & Fish LLP) & @Abraham Miller-Barbarow (Information Governance Risk Manager at Ropes & Gray LLP).
The full survey can also be found attached.
74+ firms participated in the survey with around 60 attendants who were able to provide additional questions during the round-table.
We predict that the COVID-19 crisis will bring result in firms increasing their DLP initiatives. Independent of firm size and/or tool costs, the round-table provided other methods which can be used as either an additional layer of protection or compensating control to prevent data loss.
- Email continues to be the primary location where a DLP tool is deployed (54%). Mobile phones (12%) and Cloud (14%) appear to be an area of focus.
- Other DLP controls to consider: clipboard pass-through, screen capture, local USB access.
- Application/URL filtering was discussed as a good ‘compensating control’ to DLP where 82% are already using it. However, only ~59% of firms apply app/url outside of network, but discussions have begun to increase deployment.
- DLP false positives will occur. Constant maintenance of DLP is required to whitelist detections where possible.
- DLP is many times a client requirement due to the data classification/sensitivity. At a minimum, apply the most restrictive DLP controls over departments exposed to sensitive data (i.e. collections).
- 21% of firms classify data on-prem where only 4% classify data on the cloud. Policies and Procedures should be updated to reflect the type of data the firm considers “sensitive”.
- DLP tools can be expensive, but data classification can be completed through interviews with data owners as a good starting point.
- Although ~90% of firms allow printing from home, other controls may be: providing the correct shredder type, providing the correct printer model and updating policies if sensitive data printing is required (such as sending the document to the firm’s copy department).
- Continuous Security Awareness training was mentioned as a “quick win” for DLP. DLP should not only be included in security awareness training, but it should focus on sensitive data examples.