How DLP Systems Adapted During the COVID-19 Pandemic

Let us discuss what problems companies have faced when transferring all work activity to a remote format, which communication channels have caused increased risks of data leaks, and how the business processes have changed in the view of new realities. I want to talk also about what mistakes companies made during this period and how the organizational and technical methods of control of remote workers have changed.


This year, many companies have experienced forced self-isolation and a sudden transition to the remote work mode. They quickly rebuilt their business increasing online sales and services while trying to maintain efficiency and, at the same time, protect themselves from new threats and risks.

Let us see how DLP vendors and their customers approached data loss prevention practices and remote employee monitoring in the new environment. Let us also see how DLP systems have adapted from a technical and organizational perspective and what problems were solved.

Problems of data loss prevention at the start of the transition period  

The main problem that emerged in the very first days of the pandemic was the unwillingness of a significant part of companies to fully switch to the online\remote mode of operation. Before the pandemic (depending on the sector), plenty of businesses had only a few employees working remotely, and the process of interaction with them was literally built in manual mode. When a significant proportion of people switched to distant work, many organizations practically lost control over staff activities.

Let us consider what problems have appeared in the field of protection against data leaks and related areas.

Controlling communication channels

Security officers had to reconfigure their DLP systems to be able to track new communication channels that suddenly became accessible to employees when they switched to the remote work mode and access to which was highly limited while working in the office work.

Being outside the perimeter of the organization, employees began to actively use not only their corporate cloud storage but things like Google Drive and Dropbox to exchange data, including confidential information. While IT departments were busy building secure remote access to corporate resources, employees, in order not to waste time, began to transfer data through personal accounts on public file-sharing resources.

The laudable zeal of staff for work could lead to serious incidents in the event of rogue redirects and hacking of free cloud storage systems, which are not perfectly protected by default. Not many workers bothered to dig into security settings and enable things like two-factor authentication.

Also, employees began to copy corporate data and documents to removable media much more often. If the DLP system did not block this and if the organization did not provide all employees with work laptops, then the mission of protecting against data leaks was difficult to accomplish.

Moreover, the IT and information security departments had to urgently think about a system for monitoring email traffic and terminal servers. In terms of monitoring corporate email, companies were forced to adopt technologies that allow them to monitor the mail server without using workstation agents. As for terminal servers, they were used by most enterprises to organize secure remote access for employees to internal resources.

Changing business processes

With the transition to the remote work mode, there have been changes in the already well-functioning and “debugged” business processes. First, DLP systems in companies have recorded a sharp increase in the amount of data sent and stored on workstations. Working in the office, employees could simply walk up to colleagues and show their work on a screen or give a presentation without using additional means of communication. In the remote mode, any interaction with colleagues began to be coupled with sending over various docs.

During online meetings (Zoom, Skype), the screen sharing mode was actively used. Some confidential data could get into the shared screen, allowing any participant to take screenshots or photos of the screen at any time.

Next, not all companies were able to provide their employees with work laptops. Many workers had to use personal devices to do their job. This significantly increased the risks of data losses since personal devices lack any corporate protection or even antivirus. The employer rarely has any right to require employees to install them.

In addition, personal laptops can be used by more than one family member, which significantly exacerbates the problem of illegal access to confidential corporate data that has begun to accumulate on these devices.

Organizational measures of protection

From an organizational point of view, to protect against data leaks, information security departments had to revise employee access rights to corporate information systems. Also, security officers had to strengthen their activities, preventing staff members from accidental information leaks. Additional training was carried out for employees, informing them about which resources and services should not be used when working remotely, which programs are considered unsafe, how phishing can cause data loss, and even touch on the problem of dangers associated with connecting to public Wi-Fi networks.

Some information security managers have set up internal newsletters about hacking and phishing for the sake of the exchange of information.

Monitoring remote work

A separate serious problem during the pandemic was monitoring the efficiency of remote employees. In general, while in the office, managers see what time their people come and go, who works a lot, and who is constantly distracted.

When working remotely, it is much more difficult to understand whether employees work enough and what their schedule is. It is important to understand the dynamics of the workload: whether the staff has begun to work less or, on the contrary, the workload has increased, and what are the reasons.

Analyzing traffic from DLP, it is possible to monitor work activity. Some people perceived remote work as an opportunity to relax. The DLP system may identify employees and even departments, the load on which increased significantly.

We may say that at the very beginning of the transition to the remote work mode, employees of IT departments heroically supported all business processes. During that period, in many companies, the number of requests for remote access to corporate resources grew like an avalanche.

In a number of companies, DLP systems recorded cases of employees reporting full workload, while, actually, they performed their work duties in a couple of hours and then went about their personal affairs.

In general, the transition to the remote work mode was much easier for those companies that already used a DLP system. They were able to adapt to remote protection of information quickly.

It was much more difficult for those who had to solve the problem from scratch. The quarantine period put confidential information of organizations at risk and affected the efficiency of employees who were not under proper control. As a result, during the periods of self-isolation, the number of incidents related to both accidental leakage of confidential information and attempts to deliberately leak data increased substantially.

Controlling work or spying on employees?

At the moment, the DLP market is oversaturated with modules that control the work of remote employees. The range of offers is wide: from tools that allow total control over a remote employee to solutions that track only performance specific indicators, helping to assess labor efficiency both at the current moment and in dynamics.

At the same time, employers should not forget that there is a difference between office and distant work, and the abundance of functionality in DLP is not always useful.

Let us consider a case when a new employee got a job in the office. The terms of remote work were clearly set in the employment contract, which included controlling all employee actions on the work laptop. Separately, it was stated that it is forbidden to mute the microphone and hide the image from the laptop’s webcam. The contract regulated the number of working hours that the employee must spend at the computer, which should have been supported by a corresponding video recording.

Such control seems to be excessive; monitoring should not turn into surveillance. And most importantly, this approach does not give the employer an answer to the most important question: “What is the real efficiency of the employee and the company as a whole?”

The employer needs to know whether a remote employee is working the required number of hours during the day, whether there is a gap in communication with colleagues, how long the employee uses work applications, whether and how much he is distracted by non-work tasks. It is important to know whether the work tasks are being performed, whether the time of their execution corresponds to the expected, what is the dynamics of the personnel performance in comparison with the previous period (day, week), and whether it is necessary to change the business processes accordingly.

Mistakes of switching to remote work mode

Many mistakes were made by companies when organizing secure remote access via VPN. Often, IT departments during the urgent transition to remote work mode either provided access to corporate resources to everyone or tightened things so that most employees had difficulties with access. The first scenario reduced the effectiveness of protection, and the second slowed down the company’s work.

Besides, some organizations tried to control the working time of remote employees using some improvised means and methods, for example, logging the fact and time of remote connection of employees to the company’s resources. This method, unfortunately, did not make it possible to understand what the employee was doing after connecting to the network and which applications he launched.

Capabilities of DLP systems in “combat” mode

In general, DLP systems provide a wide range of capabilities for protecting confidential information from leaks while in the remote work mode. DLPs can identify the activity and behavior of users by monitoring:

  • Traffic collected from different communication channels (email, instant messengers, etc.)
  • Data from the keyboards
  • Data being copied to external drives
  • Mouse clicks and movement
  • The time of shutting down the user’s laptop
  • The audio stream from the microphone
  • The video stream from the webcam

The most advanced systems complement this set of functions with advanced filtering, analytics, search, and reporting tools. All this helps the information security specialist to obtain a specific set of data on the actions of each employee working remotely.

DLP systems appeared on the basis of technologies for analyzing email activities. Later, their functionality was supplemented by protection against data leaks and analytics. Related technologies, such as time management tools, have been included in these solutions relatively recently. To choose the best solution, each company needs to understand what tasks in terms of protection against data leaks and control of remote employees must be solved.


It is necessary to control the actions of employees at remote workplaces not only from the point of view of security but also from the standpoint of the effectiveness of business processes. However, in the desire not to lose control over the company and protect confidential assets from leaks during this unusual period, it is important to remember that business is built on and for people. And if you control people tirelessly, then loyalty and the desire to be useful will steadily decline, and the number of intentional and unintentional data leaks will grow.