The one data leak DLP can't stop — and how FortiMail Workspace Security's dynamic watermark makes it attributable

Pawan Sharma Published 13 Jul 2026  ·  By Pawan Sharma  ·  Data Protection  ·  30 min read

There's a class of data leak that virtually no DLP product on the market can prevent, no matter how much you spend on it: an employee opens sensitive information on their laptop, pulls out their personal mobile phone, and takes a photograph of the screen. The DLP doesn't see it. The EDR doesn't see it. CASB doesn't see it. The information leaves the building on a device the enterprise doesn't control, and by the time anyone realises the leak has happened, it's on WhatsApp, on Telegram, in a competitor's inbox, on a public forum. There is exactly one class of defence that survives this scenario — and it's not prevention, it's attribution. This post is about how FortiMail Workspace Security (the productised form of what used to be Perception Point) does it, why the "photograph the screen" attack is now Indian enterprise's biggest under-defended data-leak vector, and what implementing this deployment shape actually looks like.

Deployment shape

Browser extension (agent referenced)

Documented browser extensions: Chrome, Edge, Safari, other Chromium-based browsers, and Firefox. Fortinet's page also mentions "or agent" — scope the specifics with your SE.

Watermark content

Username + timestamp

Semi-transparent overlay across viewed content — the composition Perception Point documented on release of the DLP capability.

What it doesn't do

Prevent, block, stop

This is a deterrent + attribution control. It doesn't stop leaks — it makes them personally consequential.

The class of leak it catches

Photo-of-screen

The one class no other defence handles. Also catches screenshot, screen-share, screen-record leaks.

The frameThe DLP blindspot that nobody wants to talk about

Every mature enterprise in India by now has some layer of DLP. It might be Microsoft Purview if you're an M365 shop, Symantec DLP if you inherited it, Netskope's cloud DLP, FortiDLP for Fortinet fabric customers, or homegrown CASB rules built on top of Microsoft Defender for Cloud Apps. All of these do something useful. All of them share the same fundamental limitation: they can only stop data movement through channels the enterprise controls. Upload to Dropbox? Blocked. Email an attachment to a personal Gmail? Blocked or quarantined. Copy-paste into an external app? Sometimes catchable. USB port write? MDM/EDR handles it. Print? Print-management catches it.

None of them stop this: the user has their phone in their hand, they aim it at their screen, they take a photograph. The photograph goes to Google Photos, then to WhatsApp, then anywhere. The enterprise has no visibility. The DLP records nothing because the user never triggered any of the classical exfiltration signals. Insider-threat detection based on behavioural analytics sometimes flags the pattern ("this user spent an unusual amount of time on document X"), but that's after the fact and doesn't prove the photograph was actually taken.

DLP catches this

Email attachment to external

Content inspection at the mail gateway or via M365 API blocks or quarantines the outbound. Standard workflow.

DLP catches this

Upload to unsanctioned SaaS

CASB / SWG inspects the upload payload. Blocks the transfer, alerts security.

DLP catches this

USB / removable media

EDR / endpoint MDM blocks writes to removable storage. Standard control.

DLP catches this

Copy-paste to another app

Endpoint DLP inspects clipboard content when pasted into unsanctioned processes. Blocks or logs.

DLP misses this

Phone photograph of screen

User's personal phone is not corporate-managed. The DLP has zero visibility. The photograph leaves the environment on an out-of-band channel.

DLP misses this

Screenshot pasted to personal chat

Screenshot to clipboard is caught if pasted on the same device. If posted from a different device (BYOD phone photo of same screen), out of band.

DLP misses this

Screen-share leak on personal call

User joins a personal Zoom / Teams call from another device that mirrors their work screen (or shares via extended display). Zero DLP visibility.

DLP misses this

Contractor / third-party device

Content viewed by a legitimate third-party consultant on their own laptop. No corporate agent. No DLP telemetry.

Why this matters more in 2026 than it did in 2020. Two shifts converged. First, current mobile-phone camera quality plus computational photography make photographs of a screen easily readable. Second, insider-threat incidents in Indian enterprise are up materially in the last three years — customer data leaks that turned out to be current or former employees photographing dashboards and selling them onwards. BFSI, healthcare, telecom, e-commerce have all had public incidents. Every one of these organisations had DLP. None of the DLPs could have stopped the photograph.

What FortiMail Workspace Security doesPerception Point's watermark, now in the Fortinet portfolio

Fortinet acquired Perception Point in December 2024, and per the current Fortinet product page has rebranded the platform as FortiMail Workspace Security. Fortinet's own description of the product line covers four modules: FortiMail Cloud SaaS (email), Browser Security, Collaboration Security, and managed 24×7 incident response. The module relevant to this discussion is Browser Security — what Perception Point historically called Advanced Browser Security. It's the module that ships the watermarking capability documented in Perception Point's March 2023 release note on browser-centric DLP.

The mechanism, per Perception Point's own documentation and the current Fortinet product-page language: a lightweight browser extension (per Perception Point, deployable "in Chrome, Edge, Safari, and any other Chromium-based browser," with a Firefox extension listed on Mozilla's addons store) or an equivalent agent sits on the endpoint. When the user opens a page flagged as containing sensitive content — either because the URL matches a sensitive category, the page contains data patterns matching a DLP rule, or an admin has flagged the site — the extension injects an overlay layer into the rendered content. That overlay is a semi-transparent watermark. Per Perception Point's release note, the default watermark string includes a "Confidential – Don't share" label along with the viewing user's identity and the access timestamp. Dynamic watermarks of this kind — the general category, of which Perception Point's implementation is one — are engineered specifically to persist through screen capture and are typically legible when a screen is photographed by a camera; that survives-camera-capture property is what makes the class of control interesting for the leak vector this post is about.

▸ Live demonstration — every screen photograph carries this pattern
Imagine this is your CRM dashboard, or a customer-details page, or an internal analytics view. The content is fully readable. But if someone were to take a mobile-phone photograph of this rectangle right now, the resulting image would capture the diagonal user-ID pattern you see faintly behind this text. Any recipient of the leaked image sees who leaked it.
(This is an approximation with an example username, timestamp, and default "Confidential" tag. Per Perception Point's own release note, the deployed watermark uses the logged-in user's identity and access timestamp — see the press release under Sources.)

The clever part isn't the technology — semi-transparent overlay watermarks are old news. The clever part is the positioning. This is deployed as a control that changes the calculus of the insider leak. Every employee knows that any screen they view has their identity baked into the pixels. If a leak happens and the leaked material is a photograph of a screen, forensic analysis can read the watermark and identify the leaker by name and by the exact minute they viewed the content. This shifts the psychology of "should I photograph this and sell it" from "risk of getting caught: low" to "risk of getting caught: almost certain." That's a much stronger deterrent than any DLP alert.

How the watermark actually worksWhat's documented, and the honest gaps

The deployment surface that's clearly documented — both in Perception Point's product materials and on the current Fortinet product page — is the browser extension: available for Chrome, Edge, Safari, "any other Chromium-based browser" (Perception Point's phrasing), and Firefox (Mozilla addons store). The extension injects a DOM-level overlay on top of the rendered page content when the user opens a URL or SaaS view that matches a sensitivity policy (URL category, content pattern, or admin-flagged app). The overlay contains, by default, a "Confidential – Don't share" label along with the viewing user's identity and access timestamp — that composition is straight out of the Perception Point release note.

Beyond the browser extension, Perception Point's own product descriptions and third-party summaries use the phrase "browser extension or agent." An agent-based deployment shape does exist as a category; the exact scope — which operating systems, which applications, what admin controls — isn't detailed in the public product page in a way we can cite here. If your evaluation depends on covering content that isn't rendered in a browser (native Outlook desktop, native Office apps, custom Windows apps), that's an explicit question to ask the Fortinet SE at scoping; don't assume the browser extension covers it.

Two structural dependencies of the control — worth understanding upfront

Dependency one: the extension has to be running for the watermark to be present. If the extension is deployed via enterprise browser policy (Chrome Enterprise, Edge for Business, Managed Apple Devices, etc.), the user cannot easily uninstall or disable it. The specific tamper-detection alerting behaviour and console-side telemetry are product-detail items you should ask the SE about; don't assume the specific mechanics without a demo.

Dependency two: if the user can view the sensitive content on a non-managed device, the extension isn't there and the watermark doesn't apply. This is the real coverage boundary. Mitigation is at the identity layer — require managed-device attestation on conditional-access rules for any application flagged as sensitive. That's an identity-team decision, not a FortiMail Workspace Security capability, but it's a prerequisite for the control to be meaningful.

Where this really mattersSectors and use cases where "attribution" is the missing control

Sector · BFSI

Customer PII and transaction data

Every bank and NBFC in India has had at least one insider-leak incident of customer data — often the customer-data-list-for-sale kind that ends up on Telegram or dark-web forums. The photographs come from CRM dashboards, KYC-review interfaces, and transaction-monitoring consoles. Adding attribution watermarking to these specific applications changes the risk calculus for anyone with dashboard access. Under RBI Cyber Framework and DPDP, this control is defensible as an "adequate technical measure" for insider-threat mitigation.

Sector · Healthcare

Patient records, EHR / EMR viewing

DPDP's healthcare protections and the sectoral regulations around patient-data confidentiality make photograph-of-screen a serious risk vector. Watermarking EHR viewing UI protects patient identity while the EMR is being reviewed on-screen. The nurse or doctor still reads it fine; a photograph of their screen carries their credential prominently.

Sector · Consulting / Legal

Client-confidential material and privileged data

Big-four consulting, boutique consultancies, and law firms handle client material where breach-of-confidentiality is a firing offence and, in some cases, a professional-regulation issue. Watermarking client-facing knowledge portals, case-file review UIs, and privileged-communication systems creates the accountability trail these engagements require.

Sector · Pharma / R&D

Formulation, clinical trial and IP-critical content

Drug formulations, clinical-trial protocols, and pre-publication research findings are the highest-value targets for corporate espionage in the sector. The typical leak vector is a research analyst photographing an internal viewing tool. Watermarking these tools makes the identity of the leaker inseparable from the leaked material.

Sector · IT-BPO

Client-account access via VDI / thin-client

Indian IT-BPO firms serve global clients whose data is subject to GDPR, HIPAA, or local sectoral rules. Contract-clause breach on unauthorised photograph of client data can trigger client-side penalties and contract termination. Watermarking VDI sessions and thin-client screens becomes contractually defensible evidence of care.

Sector · Government / PSU

Citizen-data-viewing applications

PSU banks, state-run insurance, and government portals handling citizen data have parallel obligations under DPDP plus their own sectoral MHA / MEITY norms. Insider leak of citizen data is politically explosive in a way commercial data isn't. Attribution watermarking gives the technical controls layer real accountability weight.

Deployment realityWhat rolling this out actually involves

Provision FortiMail Workspace Security tenant on FortiCloud

Standard Fortinet FortiCloud onboarding — separate tenant, admin credentials, region selection (Central India available). Provisioning typically completes in 15-30 minutes.

Push the browser extension via enterprise policy

Chrome Enterprise / Edge for Business admin console pushes the FortiMail Workspace Security extension as a mandatory-install. Firefox and Safari have equivalent policy channels. On Chrome, the extension appears as force-installed and cannot be disabled by users.

If native-app coverage is in scope, ask the SE about the agent form

Perception Point's own product descriptions reference an agent alongside the browser extension. If you need coverage beyond browser-rendered content (native Outlook, native Office, specific desktop apps), scope that explicitly with the Fortinet SE — the exact platform support and admin controls should be confirmed against a live demo, not assumed.

Define sensitivity policy — which sites and apps trigger watermarking

URL-based rules (your CRM, ticketing system, HR portal, specific SharePoint sites) and content-based rules that fire when the page contains sensitive data patterns. Watermarking runs on-match; unmatched content renders normally without the overlay.

Confirm watermark appearance during a pilot on your own UIs

The documented default watermark is "Confidential – Don't share" plus the user's identity and access timestamp. Any further customisation (opacity, size, rotation, additional identifiers) should be validated with the vendor during your pilot — don't specify these to end users until you've confirmed against the live product.

Communicate to the workforce

Don't roll out silently. The deterrent effect only works if employees know the watermarking is happening. HR-communicated all-hands note, updated employee handbook, and consent-to-monitoring language in the ongoing employment agreement. The compliance and legal side of this matters — check with employment counsel on the specific language for Indian labour-law context.

Forensic playbook — what happens when a leaked photo surfaces

Document the process: receive leaked-image intel (usually from customer complaint, media, or third-party threat-intel), forensic-review the image for the watermark pattern, decode the user identity and access timestamp, correlate to session logs, initiate HR / legal action. Rehearse the playbook with a table-top exercise using a synthetic case.

Monitor extension health and tamper attempts

FortiMail Workspace Security's admin console shows extension deployment coverage across the fleet, per-user last-seen data, and tamper-attempt alerts (user tried to disable, extension crashed unexpectedly, etc.). Treat sustained tamper attempts by a specific user as a strong insider-risk signal.

Honest trade-offsWhat this control doesn't do and where you shouldn't over-rely

1. It's a deterrent, not a preventive control

The single most important honest framing: watermarking does not stop leaks. It makes them attributable after the fact. This is enormously valuable — the risk calculus for a would-be leaker shifts dramatically when they know their identity is baked into any photograph — but it's the wrong control if what you need is "stop the data from ever leaving the environment." For that, you still need traditional DLP, CASB, and the whole prevention layer. Watermarking is the last-mile addition to that stack for the photograph-of-screen class of leak specifically.

2. Coverage gaps if device management isn't in place

The watermark only applies where the extension or agent runs. If your sensitive web app is accessible from any device without a managed-device check, the leaker's workaround is trivial: access it from an unmanaged device, no watermark, photograph freely. The prerequisite is conditional access requiring device attestation for the applications you're protecting. Talk to your identity team about wiring this into your M365 Conditional Access, Okta device-trust, or equivalent.

3. UX cost — real but manageable

Employees notice the watermark. Some will complain that it's distracting or affects readability, especially on data-dense dashboards. Tuning the opacity and pattern helps, but expect an adjustment period. Watermarking should be reserved for the applications where the security value justifies the UX cost — not slapped across every internal tool by default. Choose the ~10-20 most sensitive apps in your estate; leave the rest alone.

4. Non-visual data can't be watermarked

API data (JSON responses, CSV downloads) doesn't render visually and can't carry a watermark. If your leak vector is "user downloads the CSV then emails it out," that's traditional DLP territory. If your leak vector is "user views the dashboard on-screen, photographs it," that's watermarking territory. Know which one you're defending against.

5. Legal / employment-law nuances in India

Employee monitoring — which is what watermarking effectively is at a technical level — has legal implications in India. The Information Technology Act plus the Prevention of Sexual Harassment Act plus various labour-law provisions create a matrix of consent, notification, and proportionality requirements. Any watermarking deployment should be paired with updated employee handbook language and consent language in employment agreements, cleared with employment counsel. Don't skip this step; a legal challenge can invalidate the forensic-attribution value of the control.

6. This is one control in a broader insider-risk program

Watermarking works best as part of a broader insider-risk-management program that also includes behavioural analytics (Microsoft Purview Insider Risk Management, or FortiInsight), privileged-access controls, session monitoring, and HR-led awareness programs. Deploying watermarking in isolation gets you the attribution capability but not the early-warning signal that a leak is likely. Both matter.

Where Ogma fitsHonest, brief, not the whole point of the article

Ogma is a Fortinet authorised partner in India for the FortiMail Workspace Security product line, including the watermarking and Advanced Browser Security capabilities. Where we tend to add real value is at the deployment-design layer: helping enterprises decide which specific applications to enable watermarking on (the 10-20 that justify the UX cost), tuning the opacity and pattern so it's captured by phone cameras without frustrating employees, and stitching the forensic-playbook process together with the customer's HR, legal, and IR teams so the attribution capability actually gets used when a leak surfaces. The technology is straightforward once you understand it. The organisational and legal wrap-around is where a partner earns their fee.

Want a 60-minute assessment of your photograph-of-screen leak exposure?

We'll walk through your existing DLP + CASB + EDR coverage, identify which applications carry the highest photograph-of-screen risk in your environment, and give you a written recommendation on whether FortiMail Workspace Security's watermarking layer fits — including the legal / HR wrap-around Indian employment law expects.

Book an assessment +91 80 0979 0979 · [email protected]

Common questionsFAQ

Does the watermark actually survive being photographed by a mobile phone?

Dynamic watermarking as a category — including Perception Point's / FortiMail Workspace Security's implementation — is engineered specifically to persist through screen capture, and semi-transparent overlays typically remain legible in a photograph of the screen. That said, "survives a phone photograph" isn't a specific product claim Fortinet's public page currently makes about this module in so many words; it's a property of the category the product belongs to. Ask for a live demo during evaluation: photograph a watermarked screen with your own phone, then read the resulting image. This is the right way to validate the specific implementation against your specific expectations.

Doesn't Microsoft Purview or another native product do this already?

Purview Information Protection can apply visible labels (e.g., "CONFIDENTIAL — do not share") to documents, but the labelling is document-level and doesn't cover browser-rendered dashboards, third-party SaaS UIs, or applications outside the M365 ecosystem. Custom watermarking on a specific enterprise SaaS is a build-your-own project. What FortiMail Workspace Security's Perception Point-derived capability adds is dynamic, per-user, per-session watermarking that spans any browser-rendered content plus native applications — no per-app custom integration needed. Different tools for different classes of leak.

How does this interact with employee privacy under DPDP?

Watermarking with the employee's identity is a form of workplace monitoring, and DPDP's employee-data provisions apply. Practically: (a) notify employees in the handbook and consent letter that browser sessions may carry identifying watermarks for security purposes, (b) restrict watermarking to specific applications where the security value is proportionate, don't blanket-apply, (c) keep session-identifier data on a strict retention policy tied to insider-risk investigation timelines rather than indefinitely, (d) run the deployment past employment counsel and DPO. Done properly, the control is defensible under DPDP; done sloppily, it can be challenged as disproportionate.

What's the operational cost / effort involved?

Deployment itself is light — extension push and agent install through existing endpoint-management tooling takes days, not weeks. The heavier work is on the organisational side: choosing which applications to enable, tuning the watermark appearance, updating employee comms and legal language, and building the forensic playbook so the attribution capability actually gets exercised when an incident happens. Budget four to eight weeks from decision to production-stable rollout for a mid-market Indian enterprise, most of it in policy and process rather than technology.

What if we already have a robust DLP / CASB stack? Do we still need this?

If your leak-model risk assessment shows photograph-of-screen as a plausible vector — which it does for most Indian enterprises in BFSI, healthcare, consulting, pharma, and government — then yes, this control is the specific answer to a specific gap your existing stack doesn't cover. If your primary leak concern is bulk-exfiltration via upload or email, then existing DLP is doing the job and watermarking is nice-to-have rather than must-have. Match the control to the actual risk, don't add it universally.

Does this work for contractors, third-party consultants, and BYOD users?

Only where you can get the extension deployed on the device the user is viewing content on. For contractors on customer-issued laptops, deploy the extension via the customer's device-management (Chrome Enterprise policy push covers most cases). For third-party contractors on their own laptops, or BYOD users, the practical answer is device attestation at the identity layer — require managed-device evidence for access to any watermarked application, and don't grant access from personal devices. Whether Fortinet offers a specifically agentless / proxy-based deployment shape for the BYOD case is a scoping question for the Fortinet SE.

Where does this fit in an Ogma One SOC subscription?

FortiMail Workspace Security integrates cleanly with the broader SOC operations layer — its alerts (extension tamper attempts, unusual watermark-forensic-request patterns) feed into the SIEM alongside EDR and firewall signals for the same user. In our Ogma One subscription (disclosure: our own build, pre-launch), watermarking is offered as an optional add-on for customers with an identified photograph-of-screen risk model, not bundled by default because it's a control that only makes sense for specific use cases and application scopes. Talk to us if it's relevant for your environment.

ReferencesSources

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.


Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution