How to Implement Data Loss Prevention (DLP) Strategies

DLP monitors and blocks inappropriate data sharing.

Overview

Data leaks through email, cloud, USB, printing, and screenshots.

Classify first.

Technical controls.

Review and refine.

Block USB storage devices by default on all corporate workstations
Create exceptions for approved devices only (e.g., company-issued encrypted USB drives)
Allow keyboard, mouse, and other non-storage USB devices
Log all USB device connections even if blocked — shows attempted exfiltration
Consider encrypted USB drives for staff who legitimately need portable storage
Disable CD/DVD burning on workstations unless specifically needed

Monitor for data uploads to personal cloud storage (Google Drive, Dropbox, iCloud)
Block personal cloud storage domains if business alternatives are provided
Detect and alert on use of file-sharing services not approved by the company
Monitor web email access (Gmail, Outlook.com) for data exfiltration via personal email
Use Cloud Access Security Broker (CASB) tools for comprehensive cloud monitoring
Educate staff on why approved tools should be used instead of personal alternatives

Define an incident response process specifically for DLP alerts
Not every DLP alert is malicious — many are accidental or process-driven
Tier 1: User warning (first occurrence, likely accidental)
Tier 2: Manager notification (repeated occurrences or suspicious pattern)
Tier 3: Security investigation (deliberate attempt to exfiltrate sensitive data)
Document all DLP incidents and their resolution
Use DLP data to identify process improvements: If many people trigger the same rule, the process may need changing

Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.

Get in Touch Call 01726 76999