Adding DLP and Compliance to Your Digital Transformation Process

When organizations have decided to begin their digital transformation process, they are encouraged to have a strategy in place for every step of the migration. Having a plan will ensure that nothing gets missed and they know exactly how digital transformation will benefit the company (especially when it’s time to present this plan to your corporate decision-makers).

Your digital transformation strategy should include your DLP and compliance policies if it doesn’t already.

“For many organizations, DLP and compliance policies build up over time,” said Nick Hogg, director of technical training at Fortra, in an email interview.

While these policies make perfect sense at the time of implementation, things can change. The company evolves, introducing new processes and adding new teams and customers. Compliance regulations are constantly updated or new rules are instituted. Those old policies are no longer sufficient and may actually hinder business operations.

“Digital transformation projects present organizations with an opportunity to reevaluate what’s necessary from a data protection standpoint and ask if their existing DLP and compliance strategies still maintain the high levels of security required,” Hogg stated.

“For example, one of the objectives of digital transformation is to make it easier to collaborate with colleagues, business partners and customers, but in doing so they also introduce more risk. Employees have more opportunities to accidentally share sensitive information or expose data to external threats. Therefore, these projects must have security baked in from the outset with policies and controls re-evaluated to address these new risks,” he said.

Linking DLP and Compliance to Your Digital Transformation Process

Although you may not immediately think of DLP and compliance in tandem, they are linked; often, your DLP strategy has to be spelled out to meet regulatory compliance requirements.

An organization could err on the side of caution when it came to potential policy violations and successfully maintain its compliance, Hogg pointed out, but expanding it into a wider DLP project raises concerns about blocking potential violations due to the large number of false positives that would generate.

“The business is still at risk of losing valuable data that would have a huge impact if it fell into the wrong hands, whether that’s from a loss of competitive advantage or a negative impact on reputation, so why shouldn’t the approach be the same?”

The Technologies You’ll Need

Making a digital transformation means adding new technologies to the system(s) already in place. With that in mind, organizations need to look at a broad spectrum of technologies, including data classification, digital rights management, DLP, email security, secure file transfer and file integrity monitoring. To determine which technologies you’ll need, you will then evaluate where different approaches can make what you are doing today much more effective while also ensuring you are aligned with the requirements of the business moving forward. Automating tools used for vulnerability management or pentesting, for example, can also help improve protections. By automating repetitive tasks and prioritizing results, organizations can focus their limited remediation efforts on the greatest vulnerabilities that attackers could exploit to potentially cause a compliance breach.

“Many of these technologies can support/enforce the organization’s policies through just-in-time notifications that pop up to guide and educate user behavior before an action takes place,” said Hogg.

AI and ML are the shiny new baubles that many decision-makers think they need to add, but they aren’t a silver bullet to addressing your needs, Hogg added.

“If people are doing the wrong stuff, these technologies simply make that wrong stuff faster. I think there’s much more value to be gained in getting the fundamentals right first and then refining them to improve protections,” he added.

DLP and Cloud Migration

Because so much of a digital transformation involves the cloud, you’ll want to smoothly migrate your DLP. Hogg offered the following tips to make sure your new DLP strategy will continue to meet compliance requirements:

• Identify and secure your most sensitive data and know how you will keep it secure if it is exposed or compromised.
• Classify the sensitive data and ensure the classification scheme allows you to build nuance into your security controls to minimize false positives.
• Apply discovery scans to identify where unclassified data is, classify it appropriately and, where necessary, move it to a more appropriate location. “This is especially important as users put sensitive data into cloud applications and services–some won’t necessarily understand data sovereignty requirements or how to correctly handle PII,” Hogg said.
• Deploy endpoint DLP and internet traffic monitoring to provide ongoing visibility of data.
• Use digital rights management (DRM) to encrypt the data and wrap access control and permission lists around it.

Finally, said Hogg, you want to ensure employees understand the impact of digital transformation projects and the additional data protection considerations they need. Everyone in the company should be held responsible for doing their part in keeping data secure and ensuring a smooth DLP transition during the digital transformation.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba