Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Building A Business Case For Data Loss Prevention (DLP) Tools

Building A Business Case For Data Loss Prevention (DLP) Tools

While data loss prevention has traditionally been driven by compliance regulations and insider threats, companies of all sizes and industry segments are looking to DLP tools to help protect sensitive data.

There's a reason why data breaches are such a hot topic. They cost real money, and the price tag keeps going up. An IBM-commissioned study reports that in 2015 the average cost of a breach to a global company was between $3.5 and $3.8 million. That finding was 23 percent higher than in a similar 2013 study. But wait, it gets worse. A 2009 study by Aberdeen Group calculated the average loss per breach at $640,000, so the price tag for not protecting yourself is riding a skyrocket of a trend.

According to the Ponemon Institute, which prepared the 2015 IBM study, this increase in cost per breach is driven by three factors:

  1. Cyber-attacks increase both the frequency of breaches and the cost to remediate them. 
  2. Lost business is increasing the cost per file breached.
  3. Demand for detection and escalation services, and thus their prices, have been growing precipitously.

The response to this massive and evolving problem is a class of software solutions to prevent and mitigate data loss prevention. DLP software can take many forms and engage many technologies. DLP tools and processes help prevent sensitive data from being lost or stolen, either accidentally due to end user mistakes, or malicious attacks and security breaches.

While popular in regulated industries and organizations bound by compliance, like healthcare and financial services, DLP is being utilized by a wide variety of industries and companies of all sizes. Earlier this year Gartner Research predicted that DLP adoption will rise to 90 percent by 2018.

MORE: Understanding Data Loss Prevention (DLP)
MORE: Preventing Data Breaches: New Tools And Technologies

Making The Case For DLP

Let's assume that your company has just reached the size where it needs to be really concerned about DLP. You just had your first couple substantial breaches, and you're considering an entry-level DLP package. That would include network and endpoint security protocols to protect against data loss in transit and in use. The other state of data, at rest, is assumed to be already secure.

For demonstration purposes, we'll consider a for-profit company domiciled in the United States. It's toward the high end in the mid-sized business category, growing 15 percent per year, with $100 million in annual EBITDA (earnings before interest, taxes, depreciation and amortization, which is the truest measure of profitability before the accountants get too creative). Our fictitious company is in the industrial sector, which means that it has a loss-per-record metric right around the all-industry average, and it has none of the special compliance requirements that affect the healthcare or financial industries. Nor is it a favorite among hackers, so it was able to grow to this size without attracting too much unwanted attention.

But no longer. It just suffered four apparently unrelated breaches. One tablet was lent out by a disgruntled employee and another was simply lost then found by a bad actor. There were also two professional infiltrations via the network, one by a competitor and another by, well, anybody's guess. Costs are still being assessed, so management wants to go with benchmark data for purposes of making the case. Maybe this overstates the losses from the mobile devices, but there's no way to know for now.

Now we add a layer of detail. We're assuming that these breaches averaged 25,000 files each at a loss of $150/file. The model allows for parsing by in-transit and in-use breaches, but we're holding them equal in the absence of better data. Unless something is done, we expect the number of breaches to increase 50 percent annually as the number of files per breach grows 10 percent and the cost per file grows 25 percent. Also, the company just launched a permanent forensics, assessment and audit function, costing $850,000 in its first year and increasing 10 percent annually from there.

Here's what the current state looks like:

Figure 1: Current costs to be impacted by DLP solution

As in earlier business case examples, we provide a line for new ongoing costs, which stays blank in the current state.

A quick market scan suggests that table stakes for adopting a robust, enterprise-grade DLP solution is in the neighborhood of $1 million:

Figure 2: DLP one-time costs

Over time, we estimate that DLP could halve the growth of the number of both individual breaches and the number of files per breach. Further, DLP might reduce the growth in the cost per file from 25 percent/year to 10 percent/year. From there, we forecast this target state:

Figure 3: Target costs impacted by DLP solution

We added new costs comprised of hardware maintenance, software support, administration and business continuity and recovery services. You'll notice that the EBITDA numbers don't change from the current state. You might argue that, if this firm is seen as doing something about data loss while others are floundering, it could attract more business. But that would be double-counting. Loss of business is baked into the cost per data file breached.

Since the decision about adopting a DLP solution is in itself an exercise in risk reduction, we can give this a low 7 percent discount rate. Frankly, d could approach 200 percent and the results would point the same direction:

Figure 4: Investment analysis

Remember, though, that just plugging in appliances and software is not the answer. Aberdeen Group recommends that the following processes be part of your IT protocols:

  1. Identify and classify your data
  2. Prioritize your security objectives
  3. Establish consistent policies
  4. Invest in documentation awareness and training
  5. Assign clear ownership and accountability

Selecting and deploying DLP solutions, automating enforcement and measuring and monitoring results go, of course, without saying--but they say so anyway.

Business Case Resources:

To help you get your business case for data loss prevention (DLP) tools off the ground, download this Excel calculator and PowerPoint template, which you can customize to your needs.

The Excel calculator will help you determine your current state, project costs, and target state. It includes all of the inputs you'll need so you can present the final analysis. The PowerPoint template will walk you through adding the analysis from the Excel calculator so you can present the information to your stakeholders in a logical way.

  >> Download Excel Calculator
  >> Download PowerPoint Template

To get a better understanding of the key metrics and math used in these resources, take a look at How to Build a Successful Business Case for an IT Project.

More Business Case Resources:

More Business Cases