Data Loss Prevention: What DLP Can and Cannot Do
Data loss prevention tools occupy an interesting position in the security market. They are purchased to solve a problem, the loss or exfiltration of sensitive data, that is genuinely difficult to solve technically. The tools have real capability in defined scenarios. They also have clear limits that are less frequently discussed in the sales process, and those limits mean that organisations often deploy DLP with a level of confidence in what it prevents that the technology does not actually support.
This article covers what DLP tools can do well, where their limits lie, and what a realistic data protection programme looks like when DLP is one part of it rather than the primary control. The goal is not to argue against using DLP. It is to ensure that the controls around it reflect what it actually provides rather than what the label implies.
What DLP Does Well
DLP tools are effective at detecting and blocking the transfer of data that matches defined patterns through monitored channels. Common capabilities include:
- Detecting structured sensitive data patterns, such as credit card numbers, tax file numbers, and Medicare numbers, in files, messages, and web traffic
- Blocking uploads of files containing defined content types to external services through monitored endpoints or network channels
- Alerting on large-volume data transfers that exceed defined thresholds, which can indicate exfiltration attempts
- Classifying and tagging documents based on content, and applying policy controls based on classification
- Monitoring email for sensitive content in attachments or message bodies and applying quarantine or block actions
These capabilities address a real category of data loss: accidental or unintentional exposure through common channels by people who are not trying to circumvent controls. DLP is also useful for demonstrating to regulators and auditors that controls around specific data types are in place.
What DLP Cannot Do
DLP cannot prevent a person who wants to exfiltrate data from doing so if they are willing to use a method the DLP rules do not cover. A photograph of a screen. A printout taken home. A description of sensitive information typed into a personal messaging application that uses end-to-end encryption. Copying data to a personal device before it reaches the monitored endpoint. These methods bypass most DLP deployments entirely, and a motivated insider will find them.
DLP also struggles with unstructured data. Detecting a credit card number or a defined document number in transit is a pattern-matching problem that DLP handles well. Detecting that a document contains sensitive business information that does not match a defined pattern is a much harder problem. Most organisations have significant volumes of sensitive unstructured data, including contracts, board papers, commercial proposals, and internal strategy documents, that do not contain structured data patterns and are therefore invisible to standard DLP rules unless the classification is done manually or through machine learning approaches that carry their own accuracy limitations.
The Insider Threat Problem
The scenario that DLP is most commonly cited as addressing, the malicious insider, is also the scenario it is least reliable against. A malicious insider who knows the DLP configuration, and insiders frequently do, can route around it. The controls that are more effective against malicious insiders combine DLP with access controls that limit what data the person can reach in the first place, behavioural monitoring that detects unusual access patterns before exfiltration occurs, and off-boarding procedures that revoke access promptly when risk indicators appear.
DLP in this context is a detection layer, not a prevention layer. It may catch some exfiltration attempts by insiders who are not trying to avoid it, and it creates an audit trail that is valuable in investigations. But treating it as the primary control against insider threat overstates what it can reliably prevent.
Building a Realistic Data Protection Programme
A data protection programme that takes DLP's limits seriously includes several elements alongside the DLP tool itself. Data classification establishes what is sensitive and where it lives. Access controls limit who can reach sensitive data to those with a genuine business need. Monitoring detects anomalous access patterns that precede exfiltration. Off-boarding procedures remove access promptly. And DLP provides a detection and blocking layer for transfers through the channels it can monitor.
The combination provides meaningful protection because no single element is being asked to do more than it is capable of. That is the right model for most security controls: layered, with each layer clearly understood and with the gaps between layers acknowledged and addressed by other means. We help organisations assess their current DLP deployment against this model and identify where the gaps in their data protection programme actually are.
To discuss data protection and DLP strategy for your organisation, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







