What is email data loss prevention (DLP)?
Traditionally, email data loss prevention software has used static rules to stop users from emailing sensitive or confidential data. Specifically, email DLP protects organizations from accidentally exposing sensitive data such as bank account numbers, passwords, credit card numbers, intellectual property, or trade secrets.
Email DLP has played an important role in organizations’ email security strategies. Since email is the most common form of corporate communication, it is statistically the most likely way an employee can expose sensitive information, whether by accident, neglect, or malicious intent. Email DLP can be used to help eliminate human error, which is rampant in email usage. (Just think: How many times have you hit reply-all by accident or sent the wrong attachment?) Especially for organizations that are subject to compliance audits, email DLP has been a critical security component.
How does email DLP work?
Eliminating human error is best done by anticipating those errors. Email data loss prevention solutions have traditionally anticipated those errors by enforcing a set of mail flow rules. These rules scan and filter both message text and attachments, looking for keywords, dictionary matches, and text patterns. Because they’re static (not dynamically intelligent), the traditional email DLP rules are usually determined based on data sensitivity and appetite to risk, and then apply a one-size-fits-all approach.
This is what it looks like in action:
A legal secretary at a mid-sized law firm prepares an email for a client, adds several legal documents as PDF attachments, puts the client’s email address in the “To” field and the attorney’s email address in the “Cc” field, and hits the “Send” button.
What consequences does hitting ‘Send’ trigger with traditional data loss prevention software?
When an email DLP policy is enacted, the mail server scans the email, comparing the text of the email to lists of keywords that were built into the software, as well as lists that the law firm’s IT administrators created. The DLP scan also alerts for formats of sensitive numbers, like social security and credit card numbers, by using checksums to easily detect these types of data.
If the email DLP scan finds sensitive information, this can trigger several types of events, such as:
- Asking the sender to modify the email before sending it – for example, removing sensitive information that can’t be sent to external domains or applying encryption
- Asking the sender to verify recipients and attachments
- Rejecting or quarantining the email instead of sending it
- Automatically modifying the email through pre-built rules within the DLP software – such as applying email encryption
Normally, email DLP solutions are configured to perform the first operation. In our example, then, the legal secretary would receive a prompt to remove certain information before sending to an external recipient or a prompt to encrypt the data.
As they are static, traditional DLP rules are unable to add any level of intelligence to their decision-making. They’re either one or the other. For example, credit card details either can be shared with external domains or they can’t. You can build per user – i.e. Person A is authorized to send credit card details to external domains but Person B isn’t – however this takes considerable resources from IT administrators, who not only need to build the initial lists but then need to respond to any changes.
Typically, this is too much of an overhead and the same rule is applied at least department-wide, usually organization-wide.
So let’s return to our example again. Now, imagine that our legal secretary is having a rough day, and when adding the client’s email address, Outlook autocomplete suggests Roger Jones instead of Robert Jones, and our secretary quickly but accidentally added the wrong recipient. On top of that, one of the attachments is inadvertently pulled from the folder of another client, Roberta Jonass. Now, this email has two potential breaches.
And then let’s say, our legal secretary has the necessary permissions with static DLP rules to share client information with external domains. So the key words – like the client matter ID – won’t trigger the DLP software. There are no other keyword matches or other formatting giveaways that betray the errors, and the email is sent.
In examples like this, it’s easy to see why traditional email DLP solutions have failed to prevent security incidents – whether it’s personally identifiable information being leaked or corporate information, like a client’s file – or both!
At Egress, we use contextual machine learning and advanced email DLP to stop these security incidents. As well as assessing the sensitivity of the data, we also look at the context that it’s shared in. So it’s not just a case of “Person A can share credit card numbers with external domains”, but “Person A can, and routinely does, share credit card numbers with external domains – but not with Person C at Company X and never with Company Y at all”.
This contextual machine learning is called Egress Human Layer Security.
So, back to our legal secretary in the above scenario. When they hit “Send” on an email to Roger Jones containing Robert Jones’ client files, Egress would identify that the content in the email and attachments shouldn’t be sent to Roger Jones or Robert Jones, and would alert the sender to this, saving our legal secretary from leaking client information, jeopardizing relationships, and breaching compliance.
What are the benefits of email DLP?
The key benefit of email data loss prevention is its ability to mitigate risk and protect organizations and their staff members. Email DLP accomplishes this by keeping key data from leaving an organization’s servers. As we’ve seen, though, it requires the intelligence of contextual machine learning to do this in a meaningful way.
Preventing data from being shared with unauthorized external recipient helps to ensure compliance requirements are met, particularly those in regulations like CCPA, HIPAA and GDPR that stipulate organizations must protect sensitive data from unauthorized access. Protecting personal data in line with regulations helps clients feel more secure trusting you with their personal information, and they’re more likely to renew any existing services/subscriptions or even purchase new services/subscriptions. In addition, it will protect your organization from punitive action by regulators, such as hefty fines for non-compliance, and any class action lawsuits from data subjects. This latter scenario would require employee time gathering information for the case, lawyers’ fees, court costs, and the potential cost of losing the case in court.
But it’s not just with external recipients that unauthorized access can occur – and these benefits apply when email DLP software is used to prevent internal data from breaching ethical walls / information barriers within an organization. For example, in the scenario described above, that legal secretary may have an obligation to keep the files out of view of another attorney at the firm because of a conflict of interest.
Ethical walls / Information barriers prohibit lawyers and their staff from having any contact with information pertaining to certain clients because of those conflicts of interest. The electronic integrity of an ethical wall can be maintained in part with email DLP software. This means that lawyers, their paralegals, and their legal secretaries will not inadvertently share files about clients with other lawyers and staff in-house where conflicts of interest exist.
As well as law firms, financial providers also have an obvious need for information barriers, for example keeping intelligence about mergers and acquisitions away from teams trading on the stock market(s) that insider information might affect.
Information barriers need to be created and enforced in a variety of other types of organizations, too. The scenario where employees in a number of industries currently or historically worked with competitors necessitates an ethical wall. Advertising agencies, for example, often work with direct competitors in a given vertical. Or where one employee leaves and works for an organization that has a conflict of interest – for example, when an attorney leaves one firm that represents Client X and joins another that represents Client Y, which is a competitor of Client X. Beyond that, in a totally different scenario, some schools create ethical walls to prevent students from communicating with administrators via email.
What are the limitations of email DLP?
Traditional rules-based email DLP has significant limitations. As we’ve seen in our example, with traditional email DLP, actions are triggered by a word, phrase, or number format. The trigger means the email can either be (a) encrypted and sent or (b) not sent without modification / at all. The limitation is in both the finite policy library the software uses to evaluate an email and in the binary action the software takes. Based on a limited set of rules based on data sensitivity, the software either allows the email to be sent, or it doesn’t; it either encrypts the email, or it doesn’t. The software’s actions are triggered by static rules with no regard to the thought or intent of the sender. Therein lies the shortcoming of traditional email DLP: Total lack of context.
Email DLP rules are adequate to protect keywords associated with intellectual property, and they can work well for preventing inbound phishing scams and malware / ransomware. However, to ensure the highest level of security for outbound email, intelligent email DLP should be used in tandem with static policies. Intelligent email DLP fills in the gaps that static DLP cannot.
Intelligent email DLP uses contextual machine learning to understand the situation around an email being sent, beyond just checking the boxes of the static DLP rules. It predicts and evaluates the sender’s behavior and makes judgements about mistakes (like accidentally autofilling the wrong email address in the “To” field) and malicious intent (like over-sending certain types of data to their personal email address, signaling a possible bad leaver).
Static email DLP alone underperforms because it is not humanly possible (nor would it be feasible in terms of allocation of staff time and energy) to regularly identify and manually add more rules to protect data. When you use intelligent email DLP, you don’t have to worry about waiting for the IT department to add rules to the policy as they arise. The software uses AI to predict them instead.
Because it doesn’t rely solely on human choice, intelligent email DLP makes email security safer while keeping the organization in compliance. It also allows for context to make good security decisions in the grey areas where human relationship and interactions are part of the equation. This translates to more informative, useful email DLP triggers that elevate the level of safety and security for the organization.
Email DLP from Egress
Egress Intelligent Email Security uses contextual machine learning to provide advanced email DLP for organizations globally.
Our software inspects and analyzes numerous factors every time an email is sent, to ensure users are making the right security decisions. We check the recipient(s) and their domain(s), the email’s subject line, the content in the message body and any attachments, and use this to build context around a users’ working patterns. That allows us to detect when any abnormal behavior occurs – for example, attaching an incorrect file containing sensitive data – and alerting the user to their mistake before an email data breach occurs.
It’s also frequently not enough to get data to the correct recipients; many organizations need to remain in control of sensitive information for compliance and auditing purposes. We can automatically and intelligently apply message-level encryption to emails based on the risk of a data breach, which in turn means the recipient isn’t able to take certain actions, such as forwarding content to unauthorized recipients or printing it.
Egress Intelligent Email Security works for emails sent to both external domains and when sharing information internally among colleagues, meaning we can prevent unauthorized access and conflicts of interest inside your organization, as well as with third parties and clients.