Something you'll hear again and again in the security sector is that you cannot protect what you cannot see, and for years, that meant knowing where your data was stored and who had access to it. But the way data moves has changed, and data loss prevention (DLP) tools have not kept up. According to Zscaler ThreatLabz’ ‘2026 AI Security Report’, ChatGPT generated 410mn DLP policy violations last year, a 99.3% year-on-year increase, and these were only the violations that existing tools could detect. The problem is not that organisations have ignored DLP. Many companies have existing policies in place and have invested significantly in tooling. The issue is that DLP was designed to catch data moving into files – through email attachments, USB drives and cloud synch – so when an employee pastes a quarterly forecast or a client list into a free-tier AI account, none of those controls apply. The transfer disappears into encrypted web traffic and the security stack reports all clear.
“The biggest DLP mistake is trying to enforce control before establishing reliable visibility,” says Subhalakshmi Ganapathy, chief IT security evangelist at ManageEngine. “Many organisations roll out policies quickly, but they still don’t have an accurate, living inventory of where sensitive data actually sits.” According to ManageEngine research, unstructured data doubles every two to three years. This means that organisations still treating classification as a periodic exercise have already fallen behind. With data growing faster than the scans that are supposed to find it, Ganapathy says the answer is not more scans, but a continuous, automated approach that prioritises the highest-risk data and the most exposed movement paths rather than attempting to cover everything at once. “When discovery is incomplete, DLP controls become selective by default, and selective protection creates predictable blind spots,” she says.
Many organisations roll out policies quickly, but they still don’t have an accurate, living inventory of where sensitive data actually sits.
Subhalakshmi Ganapathy, ManageEngine
DLP tools were originally built around recognisable patterns such as payment card numbers, national identity formats and defined keyword lists.
This means that DLP performs well on regulated data types where the sensitivity is defined and the format is consistent. DLP was not created to recognise meaning and that is exactly where most of the exposure can be found. Acquisition targets, competitive intelligence, internal strategy and financial forecasts do not match a known pattern, and unless someone has already manually labelled the source file, a prompt summarising a board presentation reads as ordinary web traffic. “Traditional DLP often flags based on keywords or file signatures without understanding who is accessing the data, why it is being moved, whether the destination is expected, and how behaviour compares to baseline patterns,” says Ganapathy. “The result is either under-detection of real risk or excessive noise.” For example, in a DLP log, a prompt about an upcoming merger could look like a search query and a pasted sales pipeline may come up as a browser form. If anything, the data that would do the most damage if it walked out is the data that most DLP systems are least equipped to catch.
According to the Ponemon Institute's ‘2026 Cost of Insider Risks: Global’ report, negligent employees are the root cause of 53% of insider incidents, but most of them are not what people picture when they hear insider threat. No one is walking out the office with a USB filled with company secrets. Instead, it’s someone in a hurry sending an important file to the wrong distribution list, or using a personal AI account to summarise a document because it is faster than the approved tool. “These are business-process failures as much as security failures,” says Ganapathy, and explains that because most organisations now operate in distributed environments, the data access pathways have multiplied. Between hybrid workforces, cloud collaboration, outsourced operations and machine-to-machine interactions, the data has outpaced the controls designed to protect it.
When DLP programmes have visible gaps, the response may be to close everything at once, prodded by compliance deadlines or pressure to show quick results, and it tends to produce the opposite of what was intended. In Ganapathy’s experience, alerts spike, policies start to overlap and security teams end up managing noise rather than risk. “DLP changes behaviour, not just infrastructure,” she says. “Teams need time to validate data classification quality, calibrate policies, align legal and business stakeholders and train users on expected behaviour. Without this calibration window, controls are likely to be either too strict for business continuity or too weak for risk reduction.”
For Ganapathy, the biggest gap in most DLP programmes is not about tooling and the single biggest fix would be rethinking data protection from a compliance event to an operating model mindset. “In many organisations, data protection spikes around audits, incidents or regulatory announcements, then loses momentum,” she says.
“That pattern creates recurring exposure because controls are not embedded in daily decision-making.” Most organisations focus on whether data is useful, not on whether they could defend having it, and that is the wrong question altogether. “If an enterprise cannot defend purpose, access and retention clearly,” she says, “that data is already a liability regardless of whether an incident has occurred.”
DO THESE THINGS NOW
1. Identify your crown jewels
List your top five most sensitive data types and for each one ask: where is it stored? Who actually needs access? What happens if it leaks? Start from the most damaging scenario and work down.
2. Map where that data really lives
Check endpoints, file shares, email, SaaS apps, cloud storage, collaboration tools and printers. You’re specifically looking for spreadsheets with customer data dumps, overly permissive cloud buckets and printers that store scanned documents without authentication.
3. Enforce basic least privilege
Pick one critical dataset, remove everyone who does not actively need access and set a quarterly calendar reminder to review it. Do one high-risk area at a time.
4. Turn on DLP quick wins in email and cloud
In Microsoft 365 or Google Workspace, enable rules that detect sensitive patterns in emails and attachments and auto-encrypt or block them. In cloud storage, block sharing to personal accounts and require sign-in for external access.
5. Block the exfiltration paths on endpoints
Restrict USB storage, use browser controls to block uploads to personal cloud services and deploy endpoint DLP agents on laptops, not just on the network.
6. Use user behaviour as a DLP signal
Establish baselines for who accesses what and when, then alert on anomalies like large downloads after hours, bulk transfers before a resignation or access to data outside normal job function.
7. Run a purple team DLP test
Send dummy sensitive data to a personal email account. Did it block? Did it alert? How long did the alert take? Use what you find to tune your rules, then retest.
8. Fix the training gap
Run a focused awareness push on two things only: slow down before sending emails with attachments, and never paste sensitive data into an AI tool without knowing whether it is approved.
9. Check your printers and shadow IT
Require badge authentication for printing and scanning, disable default store-and-reprint functionality and periodically hunt for unmanaged printers and IoT devices on the network.
10. Set a realistic roadmap
This month, focus on identifying your crown jewels, enabling basic email and cloud DLP and putting USB restrictions in place for a pilot group. This quarter, expand endpoint agents, set up behaviour alerts and run your first purple team test. Next year, scale to more data types, more user groups and more advanced testing scenarios.
* Article first published on www.itweb.co.za

