The one data leak DLP can't stop — and how FortiMail Workspace Security's dynamic watermark makes it attributable
There's a class of data leak that virtually no DLP product on the market can prevent, no matter how much you spend on it: an employee opens sensitive information on their laptop, pulls out their personal mobile phone, and takes a photograph of the screen. The DLP doesn't see it. The EDR doesn't see it. CASB doesn't see it. The information leaves the building on a device the enterprise doesn't control, and by the time anyone realises the leak has happened, it's on WhatsApp, on Telegram, in a competitor's inbox, on a public forum. There is exactly one class of defence that survives this scenario — and it's not prevention, it's attribution. This post is about how FortiMail Workspace Security (the productised form of what used to be Perception Point) does it, why the "photograph the screen" attack is now Indian enterprise's biggest under-defended data-leak vector, and what implementing this deployment shape actually looks like.
Deployment shape
Browser extension (agent referenced)
Documented browser extensions: Chrome, Edge, Safari, other Chromium-based browsers, and Firefox. Fortinet's page also mentions "or agent" — scope the specifics with your SE.
Watermark content
Username + timestamp
Semi-transparent overlay across viewed content — the composition Perception Point documented on release of the DLP capability.
What it doesn't do
Prevent, block, stop
This is a deterrent + attribution control. It doesn't stop leaks — it makes them personally consequential.
The class of leak it catches
Photo-of-screen
The one class no other defence handles. Also catches screenshot, screen-share, screen-record leaks.
The frameThe DLP blindspot that nobody wants to talk about
Every mature enterprise in India by now has some layer of DLP. It might be Microsoft Purview if you're an M365 shop, Symantec DLP if you inherited it, Netskope's cloud DLP, FortiDLP for Fortinet fabric customers, or homegrown CASB rules built on top of Microsoft Defender for Cloud Apps. All of these do something useful. All of them share the same fundamental limitation: they can only stop data movement through channels the enterprise controls. Upload to Dropbox? Blocked. Email an attachment to a personal Gmail? Blocked or quarantined. Copy-paste into an external app? Sometimes catchable. USB port write? MDM/EDR handles it. Print? Print-management catches it.
None of them stop this: the user has their phone in their hand, they aim it at their screen, they take a photograph. The photograph goes to Google Photos, then to WhatsApp, then anywhere. The enterprise has no visibility. The DLP records nothing because the user never triggered any of the classical exfiltration signals. Insider-threat detection based on behavioural analytics sometimes flags the pattern ("this user spent an unusual amount of time on document X"), but that's after the fact and doesn't prove the photograph was actually taken.
Email attachment to external
Content inspection at the mail gateway or via M365 API blocks or quarantines the outbound. Standard workflow.
Upload to unsanctioned SaaS
CASB / SWG inspects the upload payload. Blocks the transfer, alerts security.
USB / removable media
EDR / endpoint MDM blocks writes to removable storage. Standard control.
Copy-paste to another app
Endpoint DLP inspects clipboard content when pasted into unsanctioned processes. Blocks or logs.
Phone photograph of screen
User's personal phone is not corporate-managed. The DLP has zero visibility. The photograph leaves the environment on an out-of-band channel.
Screenshot pasted to personal chat
Screenshot to clipboard is caught if pasted on the same device. If posted from a different device (BYOD phone photo of same screen), out of band.
Screen-share leak on personal call
User joins a personal Zoom / Teams call from another device that mirrors their work screen (or shares via extended display). Zero DLP visibility.
Contractor / third-party device
Content viewed by a legitimate third-party consultant on their own laptop. No corporate agent. No DLP telemetry.
Why this matters more in 2026 than it did in 2020. Two shifts converged. First, current mobile-phone camera quality plus computational photography make photographs of a screen easily readable. Second, insider-threat incidents in Indian enterprise are up materially in the last three years — customer data leaks that turned out to be current or former employees photographing dashboards and selling them onwards. BFSI, healthcare, telecom, e-commerce have all had public incidents. Every one of these organisations had DLP. None of the DLPs could have stopped the photograph.
What FortiMail Workspace Security doesPerception Point's watermark, now in the Fortinet portfolio
Fortinet acquired Perception Point in December 2024, and per the current Fortinet product page has rebranded the platform as FortiMail Workspace Security. Fortinet's own description of the product line covers four modules: FortiMail Cloud SaaS (email), Browser Security, Collaboration Security, and managed 24×7 incident response. The module relevant to this discussion is Browser Security — what Perception Point historically called Advanced Browser Security. It's the module that ships the watermarking capability documented in Perception Point's March 2023 release note on browser-centric DLP.
The mechanism, per Perception Point's own documentation and the current Fortinet product-page language: a lightweight browser extension (per Perception Point, deployable "in Chrome, Edge, Safari, and any other Chromium-based browser," with a Firefox extension listed on Mozilla's addons store) or an equivalent agent sits on the endpoint. When the user opens a page flagged as containing sensitive content — either because the URL matches a sensitive category, the page contains data patterns matching a DLP rule, or an admin has flagged the site — the extension injects an overlay layer into the rendered content. That overlay is a semi-transparent watermark. Per Perception Point's release note, the default watermark string includes a "Confidential – Don't share" label along with the viewing user's identity and the access timestamp. Dynamic watermarks of this kind — the general category, of which Perception Point's implementation is one — are engineered specifically to persist through screen capture and are typically legible when a screen is photographed by a camera; that survives-camera-capture property is what makes the class of control interesting for the leak vector this post is about.
The clever part isn't the technology — semi-transparent overlay watermarks are old news. The clever part is the positioning. This is deployed as a control that changes the calculus of the insider leak. Every employee knows that any screen they view has their identity baked into the pixels. If a leak happens and the leaked material is a photograph of a screen, forensic analysis can read the watermark and identify the leaker by name and by the exact minute they viewed the content. This shifts the psychology of "should I photograph this and sell it" from "risk of getting caught: low" to "risk of getting caught: almost certain." That's a much stronger deterrent than any DLP alert.
How the watermark actually worksWhat's documented, and the honest gaps
The deployment surface that's clearly documented — both in Perception Point's product materials and on the current Fortinet product page — is the browser extension: available for Chrome, Edge, Safari, "any other Chromium-based browser" (Perception Point's phrasing), and Firefox (Mozilla addons store). The extension injects a DOM-level overlay on top of the rendered page content when the user opens a URL or SaaS view that matches a sensitivity policy (URL category, content pattern, or admin-flagged app). The overlay contains, by default, a "Confidential – Don't share" label along with the viewing user's identity and access timestamp — that composition is straight out of the Perception Point release note.
Beyond the browser extension, Perception Point's own product descriptions and third-party summaries use the phrase "browser extension or agent." An agent-based deployment shape does exist as a category; the exact scope — which operating systems, which applications, what admin controls — isn't detailed in the public product page in a way we can cite here. If your evaluation depends on covering content that isn't rendered in a browser (native Outlook desktop, native Office apps, custom Windows apps), that's an explicit question to ask the Fortinet SE at scoping; don't assume the browser extension covers it.
Two structural dependencies of the control — worth understanding upfront
Dependency one: the extension has to be running for the watermark to be present. If the extension is deployed via enterprise browser policy (Chrome Enterprise, Edge for Business, Managed Apple Devices, etc.), the user cannot easily uninstall or disable it. The specific tamper-detection alerting behaviour and console-side telemetry are product-detail items you should ask the SE about; don't assume the specific mechanics without a demo.
Dependency two: if the user can view the sensitive content on a non-managed device, the extension isn't there and the watermark doesn't apply. This is the real coverage boundary. Mitigation is at the identity layer — require managed-device attestation on conditional-access rules for any application flagged as sensitive. That's an identity-team decision, not a FortiMail Workspace Security capability, but it's a prerequisite for the control to be meaningful.
Where this really mattersSectors and use cases where "attribution" is the missing control
Customer PII and transaction data
Every bank and NBFC in India has had at least one insider-leak incident of customer data — often the customer-data-list-for-sale kind that ends up on Telegram or dark-web forums. The photographs come from CRM dashboards, KYC-review interfaces, and transaction-monitoring consoles. Adding attribution watermarking to these specific applications changes the risk calculus for anyone with dashboard access. Under RBI Cyber Framework and DPDP, this control is defensible as an "adequate technical measure" for insider-threat mitigation.
Patient records, EHR / EMR viewing
DPDP's healthcare protections and the sectoral regulations around patient-data confidentiality make photograph-of-screen a serious risk vector. Watermarking EHR viewing UI protects patient identity while the EMR is being reviewed on-screen. The nurse or doctor still reads it fine; a photograph of their screen carries their credential prominently.
Client-confidential material and privileged data
Big-four consulting, boutique consultancies, and law firms handle client material where breach-of-confidentiality is a firing offence and, in some cases, a professional-regulation issue. Watermarking client-facing knowledge portals, case-file review UIs, and privileged-communication systems creates the accountability trail these engagements require.
Formulation, clinical trial and IP-critical content
Drug formulations, clinical-trial protocols, and pre-publication research findings are the highest-value targets for corporate espionage in the sector. The typical leak vector is a research analyst photographing an internal viewing tool. Watermarking these tools makes the identity of the leaker inseparable from the leaked material.
Client-account access via VDI / thin-client
Indian IT-BPO firms serve global clients whose data is subject to GDPR, HIPAA, or local sectoral rules. Contract-clause breach on unauthorised photograph of client data can trigger client-side penalties and contract termination. Watermarking VDI sessions and thin-client screens becomes contractually defensible evidence of care.
Citizen-data-viewing applications
PSU banks, state-run insurance, and government portals handling citizen data have parallel obligations under DPDP plus their own sectoral MHA / MEITY norms. Insider leak of citizen data is politically explosive in a way commercial data isn't. Attribution watermarking gives the technical controls layer real accountability weight.
Deployment realityWhat rolling this out actually involves
Provision FortiMail Workspace Security tenant on FortiCloud
Standard Fortinet FortiCloud onboarding — separate tenant, admin credentials, region selection (Central India available). Provisioning typically completes in 15-30 minutes.
Push the browser extension via enterprise policy
Chrome Enterprise / Edge for Business admin console pushes the FortiMail Workspace Security extension as a mandatory-install. Firefox and Safari have equivalent policy channels. On Chrome, the extension appears as force-installed and cannot be disabled by users.
If native-app coverage is in scope, ask the SE about the agent form
Perception Point's own product descriptions reference an agent alongside the browser extension. If you need coverage beyond browser-rendered content (native Outlook, native Office, specific desktop apps), scope that explicitly with the Fortinet SE — the exact platform support and admin controls should be confirmed against a live demo, not assumed.
Define sensitivity policy — which sites and apps trigger watermarking
URL-based rules (your CRM, ticketing system, HR portal, specific SharePoint sites) and content-based rules that fire when the page contains sensitive data patterns. Watermarking runs on-match; unmatched content renders normally without the overlay.
Confirm watermark appearance during a pilot on your own UIs
The documented default watermark is "Confidential – Don't share" plus the user's identity and access timestamp. Any further customisation (opacity, size, rotation, additional identifiers) should be validated with the vendor during your pilot — don't specify these to end users until you've confirmed against the live product.
Communicate to the workforce
Don't roll out silently. The deterrent effect only works if employees know the watermarking is happening. HR-communicated all-hands note, updated employee handbook, and consent-to-monitoring language in the ongoing employment agreement. The compliance and legal side of this matters — check with employment counsel on the specific language for Indian labour-law context.
Forensic playbook — what happens when a leaked photo surfaces
Document the process: receive leaked-image intel (usually from customer complaint, media, or third-party threat-intel), forensic-review the image for the watermark pattern, decode the user identity and access timestamp, correlate to session logs, initiate HR / legal action. Rehearse the playbook with a table-top exercise using a synthetic case.
Monitor extension health and tamper attempts
FortiMail Workspace Security's admin console shows extension deployment coverage across the fleet, per-user last-seen data, and tamper-attempt alerts (user tried to disable, extension crashed unexpectedly, etc.). Treat sustained tamper attempts by a specific user as a strong insider-risk signal.
Honest trade-offsWhat this control doesn't do and where you shouldn't over-rely
1. It's a deterrent, not a preventive control
The single most important honest framing: watermarking does not stop leaks. It makes them attributable after the fact. This is enormously valuable — the risk calculus for a would-be leaker shifts dramatically when they know their identity is baked into any photograph — but it's the wrong control if what you need is "stop the data from ever leaving the environment." For that, you still need traditional DLP, CASB, and the whole prevention layer. Watermarking is the last-mile addition to that stack for the photograph-of-screen class of leak specifically.
2. Coverage gaps if device management isn't in place
The watermark only applies where the extension or agent runs. If your sensitive web app is accessible from any device without a managed-device check, the leaker's workaround is trivial: access it from an unmanaged device, no watermark, photograph freely. The prerequisite is conditional access requiring device attestation for the applications you're protecting. Talk to your identity team about wiring this into your M365 Conditional Access, Okta device-trust, or equivalent.
3. UX cost — real but manageable
Employees notice the watermark. Some will complain that it's distracting or affects readability, especially on data-dense dashboards. Tuning the opacity and pattern helps, but expect an adjustment period. Watermarking should be reserved for the applications where the security value justifies the UX cost — not slapped across every internal tool by default. Choose the ~10-20 most sensitive apps in your estate; leave the rest alone.
4. Non-visual data can't be watermarked
API data (JSON responses, CSV downloads) doesn't render visually and can't carry a watermark. If your leak vector is "user downloads the CSV then emails it out," that's traditional DLP territory. If your leak vector is "user views the dashboard on-screen, photographs it," that's watermarking territory. Know which one you're defending against.
5. Legal / employment-law nuances in India
Employee monitoring — which is what watermarking effectively is at a technical level — has legal implications in India. The Information Technology Act plus the Prevention of Sexual Harassment Act plus various labour-law provisions create a matrix of consent, notification, and proportionality requirements. Any watermarking deployment should be paired with updated employee handbook language and consent language in employment agreements, cleared with employment counsel. Don't skip this step; a legal challenge can invalidate the forensic-attribution value of the control.
6. This is one control in a broader insider-risk program
Watermarking works best as part of a broader insider-risk-management program that also includes behavioural analytics (Microsoft Purview Insider Risk Management, or FortiInsight), privileged-access controls, session monitoring, and HR-led awareness programs. Deploying watermarking in isolation gets you the attribution capability but not the early-warning signal that a leak is likely. Both matter.
Where Ogma fitsHonest, brief, not the whole point of the article
Ogma is a Fortinet authorised partner in India for the FortiMail Workspace Security product line, including the watermarking and Advanced Browser Security capabilities. Where we tend to add real value is at the deployment-design layer: helping enterprises decide which specific applications to enable watermarking on (the 10-20 that justify the UX cost), tuning the opacity and pattern so it's captured by phone cameras without frustrating employees, and stitching the forensic-playbook process together with the customer's HR, legal, and IR teams so the attribution capability actually gets used when a leak surfaces. The technology is straightforward once you understand it. The organisational and legal wrap-around is where a partner earns their fee.
Want a 60-minute assessment of your photograph-of-screen leak exposure?
We'll walk through your existing DLP + CASB + EDR coverage, identify which applications carry the highest photograph-of-screen risk in your environment, and give you a written recommendation on whether FortiMail Workspace Security's watermarking layer fits — including the legal / HR wrap-around Indian employment law expects.
Book an assessment +91 80 0979 0979 · [email protected]Common questionsFAQ
Does the watermark actually survive being photographed by a mobile phone?
Dynamic watermarking as a category — including Perception Point's / FortiMail Workspace Security's implementation — is engineered specifically to persist through screen capture, and semi-transparent overlays typically remain legible in a photograph of the screen. That said, "survives a phone photograph" isn't a specific product claim Fortinet's public page currently makes about this module in so many words; it's a property of the category the product belongs to. Ask for a live demo during evaluation: photograph a watermarked screen with your own phone, then read the resulting image. This is the right way to validate the specific implementation against your specific expectations.
Doesn't Microsoft Purview or another native product do this already?
Purview Information Protection can apply visible labels (e.g., "CONFIDENTIAL — do not share") to documents, but the labelling is document-level and doesn't cover browser-rendered dashboards, third-party SaaS UIs, or applications outside the M365 ecosystem. Custom watermarking on a specific enterprise SaaS is a build-your-own project. What FortiMail Workspace Security's Perception Point-derived capability adds is dynamic, per-user, per-session watermarking that spans any browser-rendered content plus native applications — no per-app custom integration needed. Different tools for different classes of leak.
How does this interact with employee privacy under DPDP?
Watermarking with the employee's identity is a form of workplace monitoring, and DPDP's employee-data provisions apply. Practically: (a) notify employees in the handbook and consent letter that browser sessions may carry identifying watermarks for security purposes, (b) restrict watermarking to specific applications where the security value is proportionate, don't blanket-apply, (c) keep session-identifier data on a strict retention policy tied to insider-risk investigation timelines rather than indefinitely, (d) run the deployment past employment counsel and DPO. Done properly, the control is defensible under DPDP; done sloppily, it can be challenged as disproportionate.
What's the operational cost / effort involved?
Deployment itself is light — extension push and agent install through existing endpoint-management tooling takes days, not weeks. The heavier work is on the organisational side: choosing which applications to enable, tuning the watermark appearance, updating employee comms and legal language, and building the forensic playbook so the attribution capability actually gets exercised when an incident happens. Budget four to eight weeks from decision to production-stable rollout for a mid-market Indian enterprise, most of it in policy and process rather than technology.
What if we already have a robust DLP / CASB stack? Do we still need this?
If your leak-model risk assessment shows photograph-of-screen as a plausible vector — which it does for most Indian enterprises in BFSI, healthcare, consulting, pharma, and government — then yes, this control is the specific answer to a specific gap your existing stack doesn't cover. If your primary leak concern is bulk-exfiltration via upload or email, then existing DLP is doing the job and watermarking is nice-to-have rather than must-have. Match the control to the actual risk, don't add it universally.
Does this work for contractors, third-party consultants, and BYOD users?
Only where you can get the extension deployed on the device the user is viewing content on. For contractors on customer-issued laptops, deploy the extension via the customer's device-management (Chrome Enterprise policy push covers most cases). For third-party contractors on their own laptops, or BYOD users, the practical answer is device attestation at the identity layer — require managed-device evidence for access to any watermarked application, and don't grant access from personal devices. Whether Fortinet offers a specifically agentless / proxy-based deployment shape for the BYOD case is a scoping question for the Fortinet SE.
Where does this fit in an Ogma One SOC subscription?
FortiMail Workspace Security integrates cleanly with the broader SOC operations layer — its alerts (extension tamper attempts, unusual watermark-forensic-request patterns) feed into the SIEM alongside EDR and firewall signals for the same user. In our Ogma One subscription (disclosure: our own build, pre-launch), watermarking is offered as an optional add-on for customers with an identified photograph-of-screen risk model, not bundled by default because it's a control that only makes sense for specific use cases and application scopes. Talk to us if it's relevant for your environment.
ReferencesSources
Fortinet — FortiMail Workspace Security
- fortinet.com/products/fortimail-workspace-security — current product overview (browser security, collaboration security, email, managed IR)
- Fortinet blog — "Fortinet Acquires Perception Point" (December 2024)
Perception Point — the underlying browser-security capability
- Perception Point press release — browser-centric DLP with watermarking (March 2023)
- Perception Point Advanced Browser Security — Firefox extension listing
Employee monitoring & DPDP context
- MeitY — Digital Personal Data Protection Act framework
- RBI — Cyber Security Framework for Banks (notifications hub)
Complementary insider-risk controls
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.