Data leak prevention (DLP) systems are an increasingly important part of a set of best practice-technologies aimed at protecting corporate data and other sensitive information from being accidentally sent through e-mail and other communication and information transport channels. While DLP systems typically won't be nearly as useful in protecting against malicious data leaks, they are effective at stopping inadvertent ones, such as when an employee attempts to send confidential data through e-mail in clear text.

Ostensibly, the primary benefit of a DLP system is to intercept sensitive data before it leaves the organization. However, another important benefit of a DLP system can be the psychological impact it has on end users. For example, a customer of Websense implemented the company’s Data Security Suite in 2007 in a three-phased approach. From January through April, the company performed only passive monitoring of violations in which non-public, personal information (NPI) was sent through the system. In May, the company switched to just notifying employees, informing them when they had violated corporate policies, but not actively enforcing those policies. Starting in June, they started active enforcement, in which violations would be actively monitored and reported.

During the passive monitoring phase, the company detected an average of roughly 12,000 NPI violations for each of the four months of this phase of the deployment. In May, when employees were informed of their behavior, violations dropped to 6,000. In June, the first month of active enforcement, violations dropped to well under 1,000 and remained under 2,000 per month through December. Interestingly, violations actually increased from August through October, which the company found was due to the use of temporary employees who were not familiar with the company’s policies; after this issue was addressed, NPI violations dropped back to approximately their June levels.

What this illustrates is the value of DLP not only from a technical perspective, but also from a behavioral one. Employees who know their activities are being monitored for compliance against corporate policies are much more likely to comply with them than if monitoring is not performed. (Compare Data Leak Protection products)

Michael Osterman is principal analyst of Osterman Research.