I am sure people by now are getting used to the constant string of vendors talking about how they solve the data leak prevention issue. They have presented their sales pitch so many times that it comes out almost involuntary at the slightest whiff of the topic during a conversation. You want to see a sales account managers brain snap. Tell him you are not interested in DLP because you trust your employees, they are just not use to hearing such a response. If we don’t trust our employees, then why are they employed.
This thinking will reduce the DLP issue down to a couple of risks:
- Accidental leakage through bad judgement, error, misconfiguration or uninformed end users
- Opportunistic information theft (DLP is not going to stop someone getting the information if they really want it)
If you have identified, marked and appropriately secured your sensitive information, then you are left with the risk of loss of lesser value information. This may have an impact, but does the loss of this information justify the cost of deploying and ongoing maintenance/configuration of a DLP solution?
If you can justify the cost of a DLP project, how about redirecting those funds instead at something to try treat the root cause of one of the risks identified above. Provide appropriate training and support tools so your employees understand the value of their companies information, how the loss of the information may effect them personally (gives them ownership) and how they, as employees, can reduce the possibility of accidental leakage. And then if you wish to use DLP, target only those systems that contain the sensitive information, and the people who are authorised to access them, to reduce the risk of sensitive data leakage.
My belief is that you will get a better long term benefit this way, rather than implementing another technical solution that is only going to increase complexity in the environment, annoy end users, increase operating costs, and stretch support resources. All of which is likely to introduce bigger risks then the DLP risk you are trying to mitigate in the first place.