Email continues to be one of the main avenues for data leakage in organizations. Whether intentional or not, employees frequently send sensitive data like customer information, healthcare records, financial documents and more via email, often without proper security controls in place. This can lead to serious data breaches and noncompliance issues.
Implementing data loss prevention (DLP) for email is critical to preventing these types of breaches. DLP analyzes and controls sensitive data being sent externally. But simply turning on DLP features isn’t enough. You need to take steps to ensure your DLP policies and controls are properly configured and your employees are on board.
Here are 4 in-depth best practices to follow when implementing email DLP:
1. Clearly Define Your Sensitive Data Universe
The foundation of any successful DLP implementation is having a firm grasp on what types of sensitive data you have in your environment and where they reside. You need this understanding in order to craft effective policies.
Start by comprehensively identifying all sensitive data types that you need to protect, such as:
- Personally identifiable information (PII) – names, addresses, social security numbers, etc.
- Protected health information (PHI) regulated under HIPAA – patient medical records and insurance details.
- Payment card industry (PCI) data – credit card numbers, CVV codes, etc.
- Financial information – corporate financial documents, trading algorithms, etc.
- Intellectual property – product designs and source code.
- Non-disclosure agreement (NDA) covered data.
- And more…
Beyond predefined data types, identify any custom sensitive data specific to your business – part numbers, internal project names, specialty formulas, etc.
Once you have a master list of sensitive data to protect, map out which systems and departments own this data. This helps determine where data protection controls need to be applied. Some key locations to look at include:
- Email systems
- Cloud productivity suites like Office 365
- Enterprise content management systems
- File servers
- CRM systems
- HR systems
- Custom business applications
- Endpoint systems
- And any other systems holding sensitive data
Establishing this detailed map of sensitive data types and locations enables you to craft targeted DLP policies.
2. Define Email DLP Policies Aligned to Your Environment
With your data discovery completed, you can now develop your email DLP policies.
Start by determining your goals and risk tolerance, asking questions like:
- Should sensitive data be fully blocked from email, allowed with encryption only, or allowed if certain conditions are met?
- Should different data types have different restrictions?
- Does the severity of the policy depend on the user’s department and role?
Then outline your specific email DLP policies aligned to your environment and risk appetite. Policies should include:
- Which data types do they apply to.
- The users/groups/departments impacted.
- The severity of enforcement – fully block, encrypt only, prompt for justification, allow with overwriting of disclaimer etc.
- Any exceptions, like allowing PHI to be emailed to business associates with an encrypted connection.
- How each policy aligns with regulatory requirements around the data types.
Giving thought to these factors will help shape a set of policies that are tuned to your unique environment.
3. Implement Supporting Controls First
One mistake organizations make is trying to immediately enforce stringent email DLP policies without having proper supporting controls in place first. This leads to high volumes of false positives and employee complaints.
Before deploying full email DLP, first have:
Data Discovery & Classification
Use data discovery tools to identify and classify sensitive information across storage systems, databases, endpoints and cloud environments. This allows you to see what data exists and properly scope DLP policies before enforcement.
Network & Endpoint DLP
Implement network and endpoint DLP controls that align with your email policies. This ensures consistent data handling and security no matter where sensitive data travels.
Secure External Email
Have encryption, data loss prevention, and other controls applied to outbound email by default. This minimizes the cleartext data leaving your environment.
Rolling out these mechanisms creates the foundation for a successful email DLP program with minimal business disruption.
4. Slowly Roll Out Email DLP Policies
Once supporting controls are in place, you’re ready to start enforcing email DLP policies. But rather than immediately applying them globally, take an incremental approach.
Start by scoping policies only to the highest risk areas, like:
- Groups that frequently handle sensitive data types.
- Departments with the most external email communication.
- Users with past data leakage incidents.
- Slowly expand from there while monitoring:
- How many emails are being blocked or encrypted?
- What policy violations are most common?
- How users are interacting with alerts and justifications.
- Complaints to service desks or management.
Use this feedback to refine the policies before expanding them further. Gradually layering on email, DLP gives users time to adapt while building organizational buy-in.
Additional Considerations for Effective Email DLP
Beyond the major steps covered above, some additional best practices include:
Limit Excess Permissions: Only allow access to sensitive data for users that need it for their role. This reduces the risk surface area.
Test with Sandbox Environments: Validate that new DLP policy work as expected using simulated user environments before rolling out to production.
Notify Users of DLP Actions: Make sure users are aware when DLP blocks or encrypts an email and explain next steps. Lack of feedback causes confusion.
Have DLP Policy Exceptions: Establish mechanisms for users to request exceptions if DLP erroneously blocks legitimate communications.
Continuously Tune Policies: Use violation reports to identify gaps in DLP policies and fine-tune rules accordingly. Threats evolve, so DLP should too.
Simplify Policy Configuration: Leverage capabilities like content analysis and machine learning so you can rely less on rigid regex-based policies.
Incentivize User Buy-In: Gamify DLP policy compliance and highlight successes to encourage user adoption. Don’t rely only on penalties.
Provide Ongoing Security Awareness Training: Educate all employees on security and DLP fundamentals on a continuous basis. This builds a culture that supports DLP adoption.
Email continues to be a significant threat vector for data loss. By taking the time to define and implement email DLP controls strategically, you can dramatically reduce your risk of breaches. Following the best practices covered here will help ensure you have effective policies tuned to your unique environment. Your organization’s sensitive data will be more secure, and you’ll be in a better position to comply with data protection regulations across geographies.