DLP *is* low cost, compliance driven and already deployed

"In this guest blog product manager John Stringer explores how Sophos customers are choosing to prevent data loss inside their companies. Over to you John.."

John Stringer
Last month Ellen Messmer at Network World published an article about data loss prevention, entitled “The DLP waste: High costs, patchy abilities, and poor deployments”.

I read the article with some interest and reflected upon how well it squared up with the findings of a regular report I get from our global network of labs on the most popular Sophos DLP policy templates.

Below you’ll find a chart showing the top ten content control lists (CCLs) most commonly used by Sophos’s corporate customers around the world. I use this data to get an insight into how many Sophos customers are rolling out DLP and what they are using it for.

Content Control List Name Usage
Credit or debit card numbers 72%
Social security numbers 47%
Bank routing numbers 42%
International Bank Account Numbers 37%
Passport details 31%
Highly sensitive content marker 31%
Sensitive content marker 30%
Moderately sensitive content marker 28%
Global confidential document markers 28%
National identification numbers 27%

Data Loss Prevention
Some background information (and a mini-plug) – we integrated DLP into our endpoint agent last year, and since then we’ve been busy improving the engine and building DLP into other Sophos products such as our email appliance.

The usage report highlighted:

1) Not surprisingly, most customers are using DLP to implement compliance controls which explains the dominance of policies designed to assist with PCI compliance (e.g. credit card detection) and personally identifiable information detection (e.g. social security number).

2) There is a healthy demand for DLP outside of the USA – although the US is still by far the region most likely to deploy DLP. The report showed good adoption levels amongst UK, Spanish, French, German, Italian and Australian customers.

3) Around 30% of customers are using DLP to detect standard or custom document classification markers such as “Informations internes” or “ACME confidential”.

The data proves that “mainstream” businesses do see value in DLP implementation, as long as it supports their compliance requirements, has the right price tag* and is tightly integrated into their existing security infrastructure.

One final thought, in the article Gartner’s Eric Ouellet highlights the importance of involving the non-IT business units in setting DLP objectives. I whole heartedly agree with this and it’s one of the key messages in a whitepaper we recently published on DLP planning and deployment.

* Sophos provides endpoint and gateway DLP without any additional charge.