How to Stop Data Leaks Over Email in India: A 2026 Playbook
How to stop data leaks over email in India: a 2026 playbook for SMBs
The question “how to stop data leaks over email in India” lands on my desk most weeks now. Usually it arrives the morning after something already left the building. A pricing sheet to a competitor’s domain. A 3,000-row customer export to someone’s personal Gmail. A reply-all that included an HR salary attachment. None of these are sophisticated attacks. They are the everyday way Indian businesses bleed data, and they are also the cheapest leaks to stop. The catch is that you have to design for them on purpose, not bolt them on after the fact.
Where email leakage actually happens in an Indian office
I have seen the same four patterns across 200+ Indian engagements, and we have done this rollout enough times to know which one bites first. The first is the personal-archive habit. A sales lead, a finance manager, an HR partner forwards work files to their own Gmail or Yahoo so they can work from home over the weekend. No malice. It is the same instinct that made jugaad a compliment. It is also a clean DPDP breach the moment a customer’s PAN sits inside that mailbox.
The second is the wrong-recipient mistake. Outlook autocompletes the address. The user clicks send. The customer list goes to the vendor with a similar name. This single pattern accounts for a measurable share of breaches in the Verizon 2024 DBIR, where 68 percent of breaches involve a human element. The fix is not training alone. The fix is a delay-and-confirm prompt on the send button when the message carries sensitive content.
The third is the hidden-tab attachment. Someone shares a quarterly summary Excel. The summary is fine. Tab three is a master price list. The customer opens it the same evening. The fourth is the auto-forward rule, often set up by a leaver who wants their contact list portable. It runs silently for months.
How to stop data leaks over email in India: the four-control playbook
If you do nothing else, do these four. They are the floor, not the ceiling. They are also what the MeitY DPDP framework implies your reasonable-safeguards obligation looks like once the rules are notified.
Control one is outbound content scanning. Every outgoing email is read for patterns: PAN, Aadhaar, bank account, credit card, customer list size, salary tables. Anything that matches a sensitive pattern triggers an action: block, encrypt, or warn the user before send. Microsoft Purview, Mimecast, and Trellix all do this; the Sirius Star Secure Data Guard policy ships with the Indian pattern library preloaded, including GSTIN and DIN.
Control two is sensitivity labels. Mark documents as Internal, Confidential, or Restricted at creation time and let the label travel with the file. The email system then refuses to send a Restricted file to an external domain unless the sender escalates. This is the single highest-leverage control because the protection survives forwarding.
Control three is attachment-aware rules. Scan inside attachments, not just the email body. Look at every tab in an Excel, every page in a PDF, every embedded image with text in it. Bonus points for unzipping archives before scanning. Without this, a one-line email with “Q4 numbers attached” routes around every body-text rule you wrote.
Control four is the real-time prompt. When the sender attempts something risky (large customer list, external recipient, sensitive label), the system shows a yellow banner: “This email contains 2,847 customer records. Send anyway?” Most users will not. The 5 percent who say yes get logged for the audit trail. This one design choice changes culture inside three weeks.
Get my free 60-minute email DLP fit review
What email DLP actually costs in India
Indicative ranges for a 100-user Indian SMB on Microsoft 365, sourced from 30+ deployments we have run in the last 18 months. Final pricing depends on plan and partner.
| Approach | Indicative cost per user/month | What you get | Where it falls short |
|---|---|---|---|
| Native M365 DLP (Business Premium) | Rs.0 (bundled) | Basic outbound rules, limited custom patterns | No Indian pattern library, weak attachment inspection |
| Microsoft Purview DLP add-on | Rs.450 to Rs.700 | Full pattern library, sensitivity labels, audit log | Setup needs an experienced Indian partner |
| Specialist (Mimecast, Proofpoint, Trellix) | Rs.350 to Rs.900 | Strong attachment scanning, sandbox, threat intel | Two consoles for IT to manage |
| Secure Data Guard (Sirius Star) | Rs.749 per device/month, CORE tier | Indian-pattern library, M365 + Gmail in one console, audit-ready evidence pack | We are biased; ask us for a fit assessment |
A clean rollout for 100 users sits between Rs.3 to Rs.8 lakh in year-one partner fees on top of licences. That covers pattern library tuning, sensitivity-label rollout, policy testing, and end-user comms. Self-deploying to save Rs.5 lakh is the path that produces the half-configured DLP an auditor circles in red. We have rescued seven of those this year.
The DPDP angle: what penalty are you avoiding
The Digital Personal Data Protection Act of 2023 sets a maximum penalty of Rs.250 crore for breach of reasonable security safeguards. The actual bracket your business sits in depends on size, intent, and remediation speed. Indian SMBs are typically modelling Rs.5 lakh to Rs.50 crore as the realistic exposure window. The CERT-In 6-hour incident reporting directive makes the clock visible: a leak detected at 9am Monday means a written notice by 3pm Monday. Most companies cannot answer the auditor’s next question, which is “show me the controls that should have prevented this”.
Per the IBM Cost of a Data Breach Report 2024, the average Indian data breach now costs Rs.19.5 crore, and email is the second most common entry point. Add the DPDP exposure and the math arrives at the same answer the CFO does: the controls are cheaper than the event.
Read the DPDP readiness checklist for HR and IT teams
How Sirius Star sequences email DLP for an Indian SMB
We split a rollout into 21 days, not 90. Day 1 to 7 is discovery, where we map your current outbound mail patterns and pull the top 20 risky senders. Day 8 to 14 we deploy the four controls in audit-only mode, so nothing blocks, but everything is logged. Day 15 to 21 we flip to enforce on the highest-risk patterns first (Restricted labels, large customer-list exports) and leave the lower-tier rules in warn-mode for another four weeks while end users adjust.
The most useful artefact from this sequence is the evidence log. By Day 21 you have a written record of what was attempted, what was blocked, and what was approved with a business reason. That log is what an RBI, SEBI, IRDAI, or DPDP auditor wants to see, and most Indian businesses cannot produce one today.
For the wider DLP picture, the secure data guard email DLP product page carries the full Indian pattern list. DPDP compliance for MSME India covers the obligation side. DPDP penalties for Indian SMBs walks the rupee figures by company size. Data theft scenarios HR team deep-dives the leaver and auto-forward pattern. For audit prep, DPDP audit India walks the evidence pack.
Every week you delay the rollout, the exposure compounds. Audit slots open until end-of-month, 11 firms booked this month, written findings doc by Day 7. Reply on WhatsApp to start.
Book my free email DLP fit review
P.S. Priya here. We ran this exact 21-day sequence last week for a Mumbai broking house at 140 users. On Day 3 of audit-mode we caught 14 outbound emails carrying client PAN data to personal Gmail accounts, including one from a department head who genuinely did not realise it counted. By Day 21 that number was zero, and they had the evidence log SEBI asked for the following month. The auditor was 60 days away, not theoretical. Take the slot before yours is.
