How to Create a Data Loss Prevention Policy That Works

Cloud technology enhances collaboration and productivity through sharing and increased access, yet without security tools in place, the door to data loss swings wide open.

If you’re reading this, your job probably involves data loss prevention (DLP). We designed BetterCloud’s Google Drive Compliance Engine to make your job easier.

Each lost sensitive document costs organizations an average of $154. While $154 appears low, how many data breaches contain one document?

Thousands of organizations use BetterCloud as their DLP tool because our Google Drive Compliance Engine scans documents for sensitive information using regular expression (regex) searching, and then automates actions when violations occur. IT admins get peace of mind and users can still collaborate.

Getting Started: If you’ve never set up a Drive Compliance Policy or Audit in BetterCloud, I suggest you read our support article on the topic before continuing.

Differentiating Between an Audit and a Policy

First, the basics. With BetterCloud’s Google Drive Compliance Engine you can automate the management of your domain’s Drive by either performing an audit or applying a policy.

• Audit: A one-time report on documents within your domain that fit certain criteria. Though no actions are taken on violations, audits present a snapshot of your domain.
• Policy: Whereas an audit is used for reporting purposes, a policy can be configured to automatically correct security violations. You can create multiple policies and apply them to specific organizational units (OUs), users, or the entire domain.

Building a DLP Policy That Fits Your Needs

To create the most restrictive DLP policy possible, apply your policy to “Everyone.” Also, set your policy to scan all documents shared publicly or externally. You can exempt users from a policy as needed, but know this: the more people who are exempt, the riskier your policy becomes.

Note: Creating a policy this restrictive isn’t recommended for every organization–customize your policy to fit your security needs. You can configure the settings above to run as an audit for an understanding of your users’ sharing habits.

Conditions define what your policy will look for and which documents it will search. There are several predefined conditions you can use, along with the ability to create a custom regex.

• Sharing Settings: Searches for documents that are set at different levels of exposure (i.e. All, Public, Public Only, etc.)
• Shared with: Searches for documents that are shared with certain users or domains
• Content: Searches for specific content in a document by using regex (Payment Information, Profanity, SSN, etc.)
• Owner: Searches for documents that are either owned or not owned by a particular user
• Size: Searches by size
• File Type: Searches by file type
• File Name: Searches by file name

View our support article for a list of every policy condition.

Your users should never share sensitive information publicly (i.e. credit card and social security numbers). In healthcare, protecting personally identifiable information (PII) is mandatory. Hospitals use BetterCloud’s preset conditions to search documents for any (or all) of the below:

• US Social Security Numbers (SSN)
• US Zipcodes
• US Phone Numbers
• Email addresses

Many IT admins are responsible for securing credit card information. BetterCloud’s Google Drive Compliance Engine enables you to set conditions to search for publicly shared Visa, MasterCard, American Express, and Discover Card information. You can even create a custom regex to search for payment types common in your location.

You may be wondering, is it better to create one policy or multiple smaller ones?

You need to build the DLP policy (or policies) that fits your needs. In regulated industries that may mean creating one policy that restricts all public sharing. But many times, you’ll need to create many policies to determine which documents are in violation, and by whom.

Two common DLP policies are:

• A policy ensuring no one in your organization shared a SSN publicly, externally, or with your domain.
• A policy ensuring your Finance team cannot share documents publicly.

If your policy contains many conditions, which is common, you need to tell the policy how it should work.

For a DLP policy that catches the smallest infraction, choose, “OR” instead of “AND.”

Choosing “OR” means your policy will trigger on documents that meet ANY of the conditions you set. Choosing “AND” makes your policy narrower, meaning a violation must meet ALL conditions to run an action.

For example, searching for payment information and SSNs and selecting “OR” will find documents containing EITHER criteria in violation. If you choose “AND” instead, a violation will only occur when a document contains both payment information AND SSNs.

Testing and Running Your Policy

Depending on your industry, you may need to scan all publicly or externally shared Google Drive files. If you need to correct past problems, this is the best action to take (and what I recommend).

If you’re only concerned about catching violations on new documents, select “from this point forward.” This will scan documents added or edited from that day on.

When you run a policy, it will begin taking actions on violations immediately. If you don’t have a clear picture of which documents your policy will affect, run it first as an audit.
Audit Mode doesn’t take actions, but rather sends a report with its findings. If the results aren’t what you intended, tweak the policy as needed.

Once in Policy Mode, you can apply any (or all) of the actions below on documents caught in violation.

• Flag as Violation
• Change Sharing Settings
• Change All Editors to Viewers
• Remove Collaborators
• Transfer Ownership
• Send Message

I recommend, at the very least, for a violation to trigger an email to you or another administrator, as well as to the document owner. Also, flag violations to view them in the BetterCloud dashboard.

You can edit the default message a user receives to give the message your own flair. The email should contain specifics about the violation and how to remedy it. This empowers users to correct their own violations and learn from their mistakes.

For high-security violations (and ones that are less likely to occur), set your email to send immediately. For less urgent violations, a separate policy and daily email digest will do.

Reducing Monotony Through Automation

Once you run a BetterCloud Drive Compliance policy, it runs nonstop, making data loss prevention a “set it and forget it” activity. Creating the right policies today can keep your organization secure tomorrow–and as a bonus, you’ll have more time to work on strategic and important tasks.

How are you using BetterCloud to prevent data loss? I’d love to hear your stories in the comments section below!