The Ultimate Guide to Data Loss Prevention


What is DLP?

Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data.

Enter data loss prevention (DLP).

Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimise the risk of confidential or business-critical data leaving an organisation. 

How much business-critical data do you handle?

Different people within your organisation handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost.

Take a moment to ask yourself if your business as a whole routinely handles any of the following:

  • company IP
  • credit card details
  • medical records
  • insurance details
  • legal case notes
  • sensitive financial data
  • personally identifiable information (PII).

Chances are, if your business has customers or clients, you’re handling business-critical sensitive data.

Why email is your greatest DLP threat 

Now let’s consider how data gets ‘lost’ in the first place…

There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.

Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government.

While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today.

In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.

How big is your problem? How big is your firm?

According to data from HANDD partner Tessian’s own platform, employees send nearly 400 emails a month. If your organisation has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen.

We don’t want to fearmonger, but it’s clear email remains your number one threat vector.

The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake. In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file.

This is why, in 2021, an overwhelming 85% of data breaches involved human error.

Insider threats (and how to spot and stop them)

You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally

Insider threats are an organisation’s biggest hidden security problem.

With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.

Yet our recent State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job.

So what can be done? Well firstly, you need to recognise what data exfiltration looks like.

There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).

Spotting malicious insider threats

So how do you recognise if you have malicious or negligent staff within your organisation? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.

Spotting negligent insider threats

Negligent staff meanwhile might repeatedly fall for phishing attacks or fail to comply with basic security policies such as consistently misdirecting emails or miss attaching files. There could be several reasons for this, from burnout, to boredom.

Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, pay slips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.

Stopping Insider Threats 

What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss. With negligent staff, on the other hand, it can help to have a build-up of data over time to inform your actions.

The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organisation’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.

The repercussions of a breach

Insider or external, a data breach can create significant fallout for your organisation. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms.

There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare.

There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who must now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organisation suffers – this can last years.

See more at Why DLP Has Failed and What the Future Looks Like.

The problems with legacy DLP

Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added the rules below and a host of other technical measures… but they’re just not up to the job anymore.

  • Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example.
  • Blacklisting: Security teams create a list of non-authorised email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorised communications.
  • Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form.
  • Tagging Data: After classifying data, an organisation may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked

The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.

How to bend not break the rules

  • -51% of staff say security tools and software impede their productivity at work
  • -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround

But workarounds aren’t the only problem with rules…

Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behaviour and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred.

There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones.

And with most risks to data security actually coming from within an organisation, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.

The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams.

Is it time to re-think your DLP strategy?

It’s clear that traditional DLP can’t prevent all data loss. This is where our partner Tessian comes in.

Tessian’s Human Layer Security platform automatically detects accidental data lossmalicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats.

Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t.

They believe their email security posture is extremely effective at alerting the organisation to potential attacks/threats from users’ risky behaviours or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”

DLP and Microsoft 365

So what does a smart, fit-for-the-21century DLP solution look like? Well, many organisations are now retiring their SEGs in favour of a Microsoft 365 solution, with Tessian layered on top as an EDR.

Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors.

Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.

Tessian complements Microsoft 365 with a behavioural analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.

How Tessian helps secure your Human Layer

We’ve come to the point where you’re considering how best to stop DLP in your organisation. From working with our customers over the years, we’ve found that it’s best to think the following three ways


You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions.


Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian.

Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian and HANDD. So now’s the time to rethink your training and awareness processes too.


This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer.

Want to see it for yourself? To learn more about how Tessian can help strengthen your DLP posture, book a demo now.

Further reading: