While every security tool a vendor advertises to or demonstrates for you is purportedly the silver bullet that saves your organization from drowning in a virtual sea of hackers, rogues and spies, data-leakage protection – or prevention (DLP) is one for which many electrons have been slain to sell you the “next great [security] thing”. I am sure there are organizations that have had the intestinal fortitude to fully implement a DLP solution, though in the conversations I have had with security team members in a handful of large companies that have purchased such systems, none has completed or is currently planning to complete a full deployment.
The concept seems simple enough, post guards at the doors and make sure no one walks out with the good silver. For certain industries that are highly regulated, or depend for their survival and success on vast amounts of intellectual property, the breathtaking cost of DLP may be justifiable. But what about the rest of us, who are protecting garden-variety customer data, legal agreements, financial reporting or associate information? We need to protect our data too but making the ROI case for DLP work for our CFO likely means we are SOL.
There are just too many egress points for an organization with a large global customer base; hundreds, if not thousands or outlets; distributed systems; significant third party interaction; low margins; and relatively casual regulation. Ask TSA to comment on the diminishing returns of trying to stop every bad thing from happening at every airport, when they have high staff turnover, looking for hard-to detect risks, with limited resources, especially when a significant number of travelers originate outside the US and they have no control over the vetting process in those countries. DLP might work for those companies where the enterprise cost of a data breach is staggering to consider and the likelihood high enough that even the bean counters will not skimp on adding significant security infrastructure.