How do you know your Data Loss Prevention solution is efficient?
Since Data Loss Prevention technology has been developed, there are some questions that always pop-up in the mind of customers, analysts, journalists, etc.:
- How do we measure the Return of Investment?
- How do we know that our DLP is efficient?
These are perfectly justified questions and we thought of some metrics that could help determine whether DLP is worth the investment.
First of all, Data Loss Prevention purpose is to prevent breaches from happening. Depending on each vendor’s solution, the IT Admin has the option to either block the transfer of confidential data through different channels and have all attempts recorded, or allow it, but have all transfers reported. So, measuring the success of a DLP solution depends also on how the company uses it.
In the first situation, the number of attempts and their severity would be a good metric to realize if the tool is efficient or not. It’s about looking at quantitative data, but more at the qualitative information. One employee trying to upload 20 documents with staff e-mail addresses on Dropbox is not the same as one employee trying to upload 20 documents with Credit Card Numbers on Dropbox, or other cloud app. To have a report on this type of incidents with their number and severity gives the interested parties a good idea on the efficiency of the DLP system.
In the second situation which involves looser policies to allow the transfer of confidential data, but record all transfers, the Admin should take into consideration that situation changes because the DLP solution is not actually preventing breaches, but it gives visibility on the users’ activity related to confidential documents. The efficiency in this case comes from the capability of capturing the events according to the established criteria and the response time for the Admin, which can rapidly change policies and block the transfer of specific data / files, or report incidents to the management for further measures.
Employees’ number of complaints is also a good indicator of the DLP software efficiency. If the moment of DLP deployment coincides with the increase of users’ complaints because their daily tasks are affected, there are two possible causes: the DLP is extremely intrusive and affects staff productivity, or the policies are not fine tuned to eliminate this type of situations. It is specific for Data Loss Prevention efficiency to depend also on the capability of adjusting policies according to desired objectives, not only on the provided features. So, a DLP is as efficient as the techniques used to fine tune the rules and policies are.
Finally, the resource consumption in terms of staff involved in managing DLP policies and time spent to get familiar with the software as well as analyzing reports is important when determining the efficiency of a DLP system. The objective of any business is to get the best outcome with minimal resources, or at least this is the ideal situation. If the entire IT department composed out of 5 people have their hands full managing and dealing with the DLP tool, it is not a good sign. The TCO can be calculated based on costs of the tool itself and the associated costs. The more intuitive the management console of the DLP is the lower the learning curve, thus lower required resources.
Taking into consideration the current threat landscape and the increased number of breaches caused by insiders, demand for Data Loss Prevention is constantly rising. Businesses should properly establish the criteria to evaluate the available solutions and once chosen, to apply some of the metrics mentioned before. This will help determine the efficiency of the software. Just implementing it and thinking compliance is met does not guarantee threats are mitigated. Bottom-line, DLP is a process, not a one-time implementation.
This article was originally posted as a podcast on net-security.org