DLP Software | Data Loss Prevention

DLP (Data Loss Prevention) software or Data Loss Prevention System is a cybersecurity solution designed to help organizations protect their confidential and sensitive information from unauthorized leaks or losses. This type of software is used to prevent confidential data from leaving an organization’s network or being shared inappropriately.

Also, a cybersecurity tool that helps prevent the leakage of confidential data within an organization. This data loss prevention software monitors, detects, and blocks any unauthorized attempt to access, transfer, or copy critical information, ensuring that personal and corporate data is kept secure.

DLP software operates in several ways:

• Activity Monitoring: Constantly monitors user activity on the network, on mobile devices, and in cloud storage systems to identify actions that may put data security at risk.
• Pattern Detection: Uses algorithms and predefined rules to detect patterns of behavior that could indicate a data leak. For example, it can identify the sending of confidential data by email or its uploading to cloud storage services.
• Policy Enforcement: Allows organizations to define custom security policies that determine how confidential data should be handled. These policies may include restrictions on access, transfer, or use of sensitive data.
• Prevention Actions: When an activity that violates security policies is detected, the DLP software can take preventive measures, such as blocking data transfer, notifying administrators, or logging the activity for later review.
• User Education: Often, DLP software includes awareness and training components to educate users about security policies and best practices.

In summary, DLP software is a crucial tool in the protection of confidential data and in compliance with privacy and security regulations. It helps organizations prevent information leaks, minimize risks, and ensure that their most valuable information remains secure and in authorized hands.

DLP solutions offer several benefits for companies, such as:

• Improve productivity by identifying and addressing non-work or inefficient activities.
• Prevent misuse of resources and protect intellectual property.
• Detect security threats, such as unauthorized access to confidential information.
• Evaluate individual and team performance to make informed decisions.
• Comply with legal and regulatory requirements for privacy and security.

When selecting DLP software, it is important to consider the following aspects:

• Security functionalities, such as encryption, access control, and audits.
• Compliance with applicable data protection regulations, such as the GDPR.
• Easy-to-use interface compatible with existing systems.
• Frequent updates and technical support.
• Security assessments and reviews by experts in the field.
• Remember that it is important to evaluate the specific needs of your organization and look for solutions that adapt to your particular requirements.
• Compliance with regulations and legal requirements.
• Reduction of costs associated with paper document management.
• More informed decision-making based on accurate and up-to-date data.

Indeed, it turns out totally mandatory . Through the information screen that appears at each team login, the following is done:

• Workers’ Statute: art. 20.3 allows the “employer to adopt the measures it deems most appropriate for monitoring and control to verify the worker’s compliance with their labor obligations and duties, taking due consideration of their human dignity in its adoption and application, and taking into account the real capacity of diminished workers, if applicable.”

The business organizational powers are limited and conditioned by the rights of the worker, being obliged to respect them. In order for the organization to be able to control the use of the computer without violating the right to privacy, it not only has to establish the instructions for use. In addition, it should be noted of the controls that the company is going to carry out to control this use. It is not enough, then, for the employer to validly establish an absolute prohibition of private use of the company’s means. It must give notice of the controls and procedures that are going to be used to know the use that the worker gives to the computer (in this case, monitoring and access control software).

“If a monitoring software is installed, it must be communicated reliably”

As long as there is no business regulation or a “code of conduct” regarding the use of computers and Internet access by workers, (and not be communicated to the workers in a reliable way ) there can be no breach of contractual good faith (for the mere non-harmful use). Nor can the employer exercise controls and records on the computers of the workers. The reason is that they are protected by the right to privacy as a consequence of the doctrine established by the ECHR of April 3, 2007 (ECHR 2007.23) (Copland Case). Furthermore, the privacy guarantee is not restricted to email. It also extends to the worker’s personal files as well as temporary files. These are copies that are automatically saved on the hard drive of the places visited on the Internet. These files may contain sensitive data regarding the privacy of the worker, insofar as they can incorporate revealing information on private aspects (ideology, sexual orientation, personal interests, etc.).

• RLOPD (Royal Decree 1720/2007, of December 21, approving the regulatory development of Organic Law 03/2018, of December 5, on the protection of personal data and guarantee of digital rights). The art. 89.2 states that “The staff must understand in an understandable way the security regulations that affect the performance of their duties, as well as the consequences that could be incurred in the event of non-compliance.”

 

How to inform users about monitoring software?

The simplest way for the employer is to proceed to communicate reliably to the workers of the organization about:

• The permitted uses of computers.
• Internet access permissions, as well as the mechanisms that will be implemented for their control, (also available with the monitoring software).

In this way, if these technologies are used for private purposes contrary to these guidelines or prohibitions, and with knowledge of the applicable controls and measures, it will not be understood that the control has violated “a reasonable expectation of privacy”.

Companies are obliged to keep a daily record of the hours that each employee works, in order to be able to ensure the control of overtime. This control, according to the National Court (AN), must be carried out even in those companies in which no overtime is worked. In letter c) of section 4 of article 12 of the Workers’ Statute, it is established that: “the working hours of part-time workers will be recorded daily and totaled monthly, delivering a copy to the worker, together with the salary receipt, of the summary of all hours worked in each month”. The ruling, dated December 4, 2015, determines that “The registration of working hours, not overtime, is the constitutive requirement to control excess hours”. Furthermore, it asserts that the denial of this registration “places workers in a situation of defenselessness that cannot be tempered because overtime hours are voluntary, since the only means of proving them is, precisely, daily control”. The creation of a registry, the resolution concludes, will eliminate any doubt about whether or not overtime is done and whether it is voluntary.

Not only that, but it is mandatory in compliance with art. 91 of the RLOPD: “Limit access only to those resources that users require for the development of their functions” . With Edorteam DLP, you can authorize or revoke access authorization to programs, files by type, or Internet browsing.

If the computer equipment is not managed through personal user accounts, it will be necessary to define user profiles in the Edorteam DLP application itself to guarantee:

• 91.3 of the RLOPD: Requirement of the establishment of “ mechanisms to prevent a user from accessing resources with rights other than those authorized . “
• 93.1 of the RLOPD: Mandatory nature of the “Adoption of the measures that guarantee the correct identification and authentication of the users” regardless of the level of security of the data that you are going to use and process.
• 93.2 of the RLOPD: Requirement of the establishment of “A mechanism that allows the unequivocal and personalized identification of all those users who try to access the information system and the verification that they are authorized.”
• 31 bis of the Penal Code (approved in Organic Law 1/2015, of March 30). In order to avoid criminal liability of the company for possible crimes committed by its directors, employees and collaborators, the implementation of organization and management models that seek the exemption / mitigation of criminal liability of the company and its directors is foreseen . The risk, today, that a legal person may be involved in a crime against privacy or computer intrusion (art. 197 of the Penal Code) is so great that restrictive and security measures must be imposed with maximum zeal. Obviously, the technical degree of this risk will involve independent technical advice from IT specialists, engineers or qualified personnel.

When the authentication mechanism is based on the existence of passwords, it must be ensured that they:

• 93.2 of the RLOPD: Unique passwords will be defined for each user so that “Allow the unequivocal and personalized identification of all users who try to access the information system and verify that they are authorized.”
• 93.3 of the RLOPD: The storage of passwords must guarantee “Your confidentiality and integrity.”

Indeed, through the DLP software, it is possible to easily and intuitively manage the password options of the Windows policy. This allows the configuration of:

• Minimum password length.
• Minimum and maximum validity of the password.
• Password history.
• Blocking threshold.
• Duration of the blockade.

This configuration complies with:

• 93.4 of the RLOPD: The periodicity of password renewal “In no case will it exceed one year.”
• 98 of the RLOPD: From the treatment of data considered of medium level, the establishment of “A mechanism that limits the possibility of repeatedly attempting unauthorized access to the information system.”

Not only is it possible, but the control of Internet browsing is a mechanism to verify compliance on the part of the worker of his obligations and labor duties. Said control cannot be carried out in any way, so the employer must reliably communicate to the workers of the organization the permitted uses of Internet access, as well as the mechanisms that will be implemented for its control (review answer to the question Should I inform users?). According to a study carried out by Robert Half International, a company specializing in executive personnel, browsing the Internet leads the list of tasks in which time is wasted during the workday. To avoid excessive use, around 25% of Spanish companies have limited the use of the Internet at work, according to a survey carried out by Adecco. With our DLP software, it is also possible to record and control Internet access and generate reports of time spent on the different pages visited. At the same time, it allows the customization of blacklists (access denied to web pages) by team.

Naturally yes. The Administrator can activate the monitoring of attempts to access applications, files located in certain directories, encrypted files, files located on USB-connected devices and web pages on the Internet. When the data contained in the files or accessed through the applications are considered to be of a high level of security, art. 103.1 of the RLOPD establishes that: “for each access attempt, at a minimum, the user identification, the date and time it was carried out, the file accessed, the type of access, and whether it has been authorized or denied will be saved.”

When the data contained in the files or accessed through the applications are considered to be of a high level of security, not only is it mandatory to register the access, but art. 103.4 establishes that “the minimum period for preserving the registered data will be two years.” Edorteam DLP stores access records by default for 2 years, although it is possible to extend the term.

Screenshots are a graphic tool for recording the activity carried out within the organization. Trigger settings allow defining those events that will be photographed (or captured) when they occur, defining the time between captures and the storage time for the images.

Not only is access registration necessary, but said registration information must be accessible by those responsible for its review and analysis. Art. 103.5 of the RLOPD establishes that “the security manager will be responsible for reviewing the registered control information at least once a month and will prepare a report of the reviews carried out and the problems detected.” The monitoring software incorporates a report viewer for access to applications, files and web pages visited, encrypted files, screenshots and time control, fully exportable for review by authorized personnel.

Of course, in order to facilitate the Security Manager the task of analyzing the information and preparing the report of the reviews and problems detected, required in art. 103 of the RLOPD, offers the service of managed activity analysis . Said analysis includes the provision of a report with details of the activity record and usage and access statistics.

Why it is mandatory to guarantee improper access to information during its transport or transmission. Data encryption is the process by which readable information is transformed by an algorithm into unreadable information. This illegible information can be sent to a recipient with much less risk of being read by third parties. The regulatory development of Organic Law 03/2018, of December 5, on the protection of personal data and guarantee of digital rights establishes:

• 92.3 of the RLOPD: In the transfer or sending of documentation “Measures will be adopted to prevent the theft, loss or improper access to information during its transportation.”
• 101.2 of the RLOPD: The distribution of media containing high-level personal data “It will be done by encrypting said data.”
• 104 of the RLOPD: The transmission of high-level personal data through public networks or wireless electronic communications networks “It will be done by encrypting said data.”

Whenever they wish to guarantee the integrity and confidentiality of the information contained in work equipment, portable devices or that documentation that is attached to an email. For this, the ET Encrypt encryption module offers different modes of use:

• Folder Encryption / Decryption: Encrypts / decrypts the contents of an entire folder.
• File encryption / decryption: encrypt / decrypt file content with online decryption option (at no cost to recipient).
• Creation of secure folder: automatic encryption of the files contained in the secure folder for private use by the user.

Converting from removable device (connected by USB) to secure device: the encryption application allows the creation of the secure folder on the external device with automatic encryption of the files contained in it for the safe transfer of the device.

When choosing DLP software, it is important to consider factors such as ease of integration with your existing infrastructure, the ability to monitor various types of data, the flexibility to customize security policies, and support for regular updates to address new cybersecurity threats.

 

Yes, DLP software or Data protection software, is crucial for companies of all sizes. Although large companies may be more attractive to cybercriminals, small and medium-sized companies.

Implementing our Data Loss Prevention software provides a solid defense against internal and external threats, helping to protect business continuity.

Yes, our Data Loss Prevention (DLP) software includes functionalities to generate detailed reports. These reports will allow you to obtain a complete vision of how confidential data is being handled within your organization, including unauthorized access attempts, blocked data transfers, and compliance with security policies.