Futureproof Your Data Loss Prevention Strategy with Always On Email Encryption
Wednesday, March 1st, 2023The threats to sensitive data keep increasing, and organizations are struggling to stay secure. With the government considering new cybersecurity requirements for critical infrastructure, many organizations are reviewing their data loss prevention policies and are looking for ways to improve their security stance. This article reviews standard data loss prevention methods, their shortcomings, and how adding always-on email encryption to your toolbox can help futureproof your communications.
What is Email Data Loss Prevention?
Data loss prevention, also known as DLP, ensures that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software allows users to classify business-critical data and take specific actions when those data are present in email messages. If sensitive data is identified, data loss prevention tools take some action to prevent users from accidentally or maliciously sharing data that could put the organization at risk.
How does DLP Technology work?
There are two main types of data loss prevention tools available:
- Rules-based DLP
- AI and Machine Learning based DLP
We will primarily discuss rules-based DLP in this article. But first, DLP tools that use AI or machine learning are trained on an extensive data set to identify when email messages sent by your employees contain sensitive information.
In rules-based DLP software, administrators create rules that trigger the data loss prevention technology to take a particular action. Some examples of rules include:
- Encrypting emails that contain social security numbers.
- Not sending emails that contain health data (as identified by the organization).
- Flagging emails that include specific keywords like “contract,” “financial report,” or “confidential information.”
Once the rules are in place, the DLP software will scan every outgoing email message to search for data that meets the criteria. When the DLP detects sensitive data, it takes an action that the administrator also determines. Some common protective actions include:
- Not sending the email at all.
- Adding a warning label or sending a notice to the email sender.
- Encrypting the email and sending it to a web portal.
Why is DLP technology insufficient for security and compliance?
While DLP technology may capture most sensitive data, it is not infallible. In industries like healthcare and finance, even one mistake could lead to a breach with severe financial penalties.
Looking at how most data loss prevention software works, it’s easy to see how it can fail. Rule-based DLP requires administrators to thoroughly document and catalog every possible variation of the keywords and number formats that could indicate the presence of sensitive data. Even one typo could throw off DLP software and cause data to be sent without protection. Sensitive healthcare and financial data do not always fall cleanly into pre-determined categories, and there are always exceptions to rules.
Conversely, false positives from extremely strict rule-making can result in delayed business communications and inefficiency. If DLP rules are too restrictive and too many messages are not sent or locked behind a portal, employees may use less secure channels to get around DLP technology.
How to Close Data Loss Prevention Gaps with Always-On Email Encryption
Highly regulated industries should consider sending all messages with a baseline of TLS encryption instead of relying on DLP technology to trigger it. TLS encryption is secure enough to meet most compliance requirements and has added usability benefits. TLS-encrypted messages appear just like regular, unencrypted emails in the recipient’s inbox, making them easy to read and respond to but without the risk of interception or eavesdropping. When all messages are automatically encrypted, you can worry less about DLP failure and data leakage.
DLP scanning can also trigger web portal pick-up encryption for more sensitive messages. Sending highly confidential information like financial statements, medical records, and board meeting minutes requires added security that can be triggered by DLP technology. Reducing the number of rules required makes data loss prevention tools easier for administrators to manage. Also, removing encryption choices from employees improves their productivity and reduces risk.
Message encryption may only be optional for a little while longer. In 2022, CISA issued Cross-Sector Cybersecurity Performance Goals, which recommended TLS encryption as part of prioritized cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques. Prepare for the future and protect your sensitive data by using LuxSci’s easy-to-use email encryption tools today.
This classic DLP system is available through many email providers and has been available at LuxSci for many years as well. However, it does have a glaring limitation — no matter how complete and complex your DLP pattern list is, it is almost certain that some messages containing sensitive information will not quite match (or the information will be embedded in attachments that can’t be searched properly). If they do not match, then they will escape in a way that may be considered a breach. 
