Our global survey finds that security organizations face more — and more serious — challenges than ever. But they’re evolving their strategies to stay ahead of threats.
Published Date: January 25, 2023
Data loss prevention, or DLP, is a set of tools and processes to prevent the loss or theft of an organization’s sensitive data, which includes data breaches, exfiltration, exposure or misuse of IP that could result in significant impact and loss of competitive advantage. Businesses use DLP solutions to secure their data, detect data breaches and comply with regulatory standards.
DLP software can help an organization detect and prevent the unauthorized access and illicit transfer of data, especially regulated data such as personally identifiable information and compliance-related data, across its network, endpoints and cloud resources. DLP also helps organizations identify and classify confidential, regulated and business-critical data and make certain their data policies comply with relevant regulations, such as HIPAA, SOX, GDPR, PCI-DSS and FISMA. When policy violations are detected, DLP can identify and enforce remediation through alerts, encryption, data isolation and other actions.
Data leakage and loss can be devastating for businesses, and no organization is immune. While external threats cause the lion’s share of data breaches, more than 20 percent of security incidents involve insiders. And data loss can severely compromise your organization’s financial health. As of 2022, the average cost of a data breach in the United States totaled almost $9.5 million dollars, an increase from slightly above $9 million the previous year. In addition to financial losses, breaches can also result in reputational damage, customer loss and decreased productivity.
In the following sections we’ll look at how DLP works, its benefits and use cases, and how you can get started with your own DLP strategy.
What are the different types of DLP?
The different types of DLP include network DLP, endpoint DLP, and cloud DLP. Here’s a closer look at each:
- Network DLP: This type of DLP solution protects sensitive data, helps you track and analyze data moving around the network, establishes and enforces policies to mitigate the risk of data loss and ensure regulatory compliance. Network DLP solutions can also block, flag, audit, encrypt or quarantine suspicious activities that violate your organization’s data security policies.
- Endpoint DLP: Endpoint DLP solutions manage data security on individual endpoint devices such as computers, mobile devices, and servers. They allow you to monitor and encrypt sensitive data at rest and in transit from one device to another, regardless of where the device is located or how it connects to the organization’s resources.
- Cloud DLP: Cloud DLP solutions provide visibility and protection for sensitive data stored in the cloud and ensure it can only be accessed by authorized cloud applications. With organizations moving more workloads to the cloud to enable remote workers, Cloud DLP should be an essential part of an organization’s overall cybersecurity strategy.
How does DLP work?
DLP works by identifying sensitive information and then implementing actions to protect it. DLP employs a combination of standard cybersecurity tools and techniques including firewalls, antivirus software, monitoring services, endpoint protection, machine learning, algorithms and automation to detect, prevent and contextualize suspicious or anomalous activity.
At any given time, data is in one of three states. Each presents challenges for identifying and protecting sensitive information:
- Data in use: In this state, data is being accessed within a system. Any time data is being read, used, updated or erased, it can create security gaps.
- Data in transit: Data in this state is moving from one location to another. This can mean between locations on a single device, such as downloading a file from a web browser to a computer’s local hard drive, or between different devices such as transferring a file from a cloud server to a mobile device. Data in transit also refers to data that is moved physically via portable storage devices like a USB thumb drive. A common security vulnerability created by data in motion is when an employee transfers sensitive data from the company network to a personal device in order to work remotely.
- Data at rest: This state refers to data that is stored in a database or on a network. Data stored unencrypted or in insecure locations are the most common vulnerabilities in this state.
Specifically, DLP solves three common problems:
- Data extrusion: Data extrusion, the unauthorized movement of data (also known as data exfiltration) often outside the corporate networks, is the goal of the bulk of cyberattacks. It can be performed by an employee with physical access to a computer or external attackers employing techniques such as malware, phishing or code injections to penetrate an organization’s security perimeter. Facebook was the victim of this type of data loss when hackers targeted a vulnerability to scrape the data of 533 million user accounts and posted it online.
- Insider threats: Both accidental and malicious insiders such as current and former employees, contractors or business partners are often the cause of data loss. These individuals may abuse their own privileges or compromise the account of a user with higher-level privileges to steal sensitive data. The Target credit card breach of 2013 is a high-profile example in which attackers leveraged a third-party vendor’s stolen credentials to exploit a vulnerability in its payment systems to steal customer data. The breach impacted 41 million consumers, and Target had to pay an $18.5 million settlement as a result.
- Unintended or negligent data exposure: Often data is accidentally exposed due to poor data practices that result in an employee losing or inadvertently providing open access to sensitive data. Phishing attacks are a common cause of unintended data exposure and are often a prelude to a ransomware attack like the Colonial Pipeline attack that shut down the East Coast oil pipeline for several days.

At any given time, data in an organization is in one of three states: in use, in transit, or at rest.
DLP programs use a variety of techniques to analyze and identify sensitive data. Some of these include:
- Rule-based analysis: The most common technique analyzes data content for known patterns such as 16-digit card numbers, 9-digit Social Security numbers, and so on. Rule-based analysis is prone to high false-positive rates, so it’s typically used as a first-pass filter to flag data for further review.
- Database fingerprinting: Also called exact data matching, this technique looks for an exact match to structured data, such as a first name, last name and Social Security number occurring together in a message and corresponding to a specific customer database record.
- Exact file matching: Rather than analyzing file contents, this technique matches the hashes of the file against a known fingerprint for that file. It has a lower false-positive rate than other techniques, but it can fail for files with similar but not identical versions.
- Partial document matching: This technique identifies sensitive information by matching partial files to known patterns or templates, such as a hospital admissions form filled out by every patient.
- Statistical analysis: This technique uses statistical methods like Bayesian analysis and machine learning to flag sensitive data. It requires a large and broad volume of data to scan to minimize false positives or negatives; small data volumes will decrease the technique's efficiency and compromise security.
- Pre-built categories: Some DLP solutions use pre-built categories with dictionaries and rules for common types of sensitive data such as credit card numbers that relate to compliance with PCI, HIPAA and other regulations.
- Custom rules: Most organizations have unique types of data they need to identify and protect, so some DLP solutions allow users to build their own rules to run alongside those the software provides.
Once sensitive data is identified and data classification is conducted, the organization must determine how to protect the data and adapt its DLP policy accordingly.
How does DLP relate to SIEM?
Both technologies serve different security functions but work together synchronously to interpret and prioritize data. As previously mentioned, DLP is a system for preventing the loss of data by prioritizing its importance across departments in the organization, as opposed to isolated searches.
Security information and event management, or SIEM, on the other hand, enables organizations to collect information from numerous devices across their environment, stored to data logs that can be aggregated and correlated to provide a holistic view of the organization’s entire IT security posture. Using advanced analytics, the SIEM is able to identify patterns that make it easier for security teams to spot disruptions, breaches, advanced malware and other threats to the network, and allow them to respond appropriately and in a timely manner. Specifically, SIEM interprets information coming in from security devices and server logs, enabling the organization to better understand and prioritize how to protect its data with technologies such as DLP.
What are the benefits of DLP?
DLP systems offer many benefits, some of which include:
- More complete data discovery: Organizations produce and store huge volumes of data across their network, cloud, and endpoints. DLP tools allow you to more easily identify critical data, ensure the appropriate controls are in place to secure it, and confirm that the organization is complying with data regulations.
- Reduced risk of data breaches: Organizations that adopt DLP solutions have greater visibility into the sensitive data in their possession and how it’s being used. This gives them a proactive stance against any suspicious or high-risk activity that could potentially result in a data breach.
- Protection against insider threats: DLP solutions flag any sensitive information contained in a file before it is transmitted elsewhere. This prevents unauthorized users from viewing and stealing the data.
- Protection against ransomware attacks: Ransomware, which encrypts files and holds them hostage until the organization pays a ransom for their release, is often the result of data exposed through a phishing attack. DLP solutions provide safeguards against this type of unintended data exposure.
- Prevention of data theft: DLP solutions alert you whenever sensitive data is copied to another device. This allows you to take immediate action to allow or block the data transfer so you can maintain control of your most valuable assets.
- Prevention of unauthorized document sharing: DLP solutions flag any shared document containing sensitive information and prevent unauthorized users from opening it.
- Protection against phishing attacks: Phishing scams attempt to deceive users into exposing sensitive data through emails or texts that appear to come from trusted sources. DLP safeguards provide a safety net against this type of data theft.
What problems does DLP solve?
DLP is used as part of an organization’s overall cybersecurity strategy to provide visibility and protection of data. Organizations produce and store massive volumes of sensitive data, including protected health information (PHI), personally identifiable information (PII) about customers and employees, credit card data and intellectual property, putting them at risk for data breaches and as well as opening them up to steep financial penalties for regulatory compliance violations. DLP prevents data loss by providing deeper visibility into an organization’s sensitive data and mechanisms for blocking its movement outside the organization’s security perimeter.
DLP solutions usually support one or more cybersecurity activities, including:
- Prevention: DLP establishes a real-time, continuously reviewed data stream that restricts unauthorized users or suspicious activities.
- Detection: DLP improves data visibility and facilitates advanced data monitoring to help identify potentially harmful activity.
- Response: DLP solutions enable easy tracking of data access and data movement on the organization’s network, along with reporting capabilities to help streamline incident response.
- Analysis: DLP contextualizes risky activity to help security teams conduct data classification and make better-informed decisions about prevention and remediation measures.

When working together, network DLP, endpoint DLP and cloud DLP help protect organizations from data extrusion, insider threats and unauthorized data exposure.
How do you get started with DLP?
To get started with DLP, first determine which data systems are critical to your business and decide if you need a standalone (network, cloud or endpoint) or integrated solution. Next, establish a budget specifically for the necessary DLP solution and determine whether you can implement it in house or will need an outside provider. Finally, establish some criteria around pricing and functionality for the DLP solutions you’ll be reviewing to help narrow down the options that are most compatible with your organization’s needs.
What are DLP best practices?
The following best practices can ensure your DLP efforts start off on the right foot:
- Define a DLP objective: Because organizations are subject to complex and evolving compliance standards such as HIPAA, PCI and GDPR, many adopt a DLP solution to help them meet these obligations. However, DLP provides many other benefits, including improved data visibility and protection, incident prevention and streamlined incident response capabilities. Determine your organization’s business priorities so you can customize a DLP solution to best meet your needs.
- Start small: Rather than tackling every DLP use case at once, take a more focused approach. Prioritize a specific data type and set fast, measurable objectives. This will allow you to earn a quick win and build confidence as you roll out DLP to other areas of the organization.
- Define success metrics: Determine what KPIs you will measure and track them to determine the success of your DLP efforts and where they can improve. Be sure to share these metrics with business leaders to demonstrate DLP’s business value.
- Educate employees: As with any security policy or procedure, employee awareness and acceptance of DLP is essential for success. Educate employees via classes, online training, emails, and other measures to improve their understanding of data security and DLP best practices.
- Understand that DLP is a process, not a product: DLP is a continuous effort to understand your sensitive data and how it’s used in order to better protect it. A DLP solution is merely a tool to help you achieve that goal.
What are some DLP trends?
Various DLP trends are emerging in response to larger trends that have impacted the enterprise over the last few years. Chief among these are increased cloud adoption, greater reliance on remote workers and the development of more sophisticated cyberattacks. To deal with these, DLP solutions are evolving from standalone tools to becoming integrated solutions that are implemented wherever users interact with data, including endpoints and the cloud.
DLP is also expanding the way it looks at data risk. Once viewed as only an outbound risk, data loss is now often the result of sophisticated attacks executed in multiple phases, in which the initial phase is an inbound tactic such as internal reconnaissance to find sensitive data. To combat this, DLP approaches are advancing to protect against both inbound and outbound data loss risks.
The cloud and a more mobile workforce have dramatically increased the number of data protection gaps organizations have to deal with. At the same time, data regulations are expanding and growing more complex. DLP effectively addresses both these challenges, allowing you to close your security gaps and achieve compliance more easily without increasing your IT cost or complexity.

Splunk Data Security Predictions 2023
Our security experts predict an action-packed year. Get the latest on key trends.