This scenario represents a classic insider data exfiltration incident, where a legitimate user abuses authorized access to move sensitive information outside organizational boundaries. The ECIH Insider Threat module clearly identifies Data Loss Prevention (DLP) as the primary technical control for detecting and preventing such activity.

Option B is correct because DLP solutions are designed to monitor, classify, and control sensitive data in motion, at rest, and in use. DLP can detect when regulated or confidential data is sent via email, uploaded to cloud services, or copied to external destinations, and can block or alert on policy violations in real time. ECIH emphasizes that DLP is especially effective against low-and-slow insider leaks that bypass perimeter defenses.

Option A improves awareness but does not enforce controls. Option C is overly restrictive and does not prevent other exfiltration channels. Option D is blunt and easily bypassed while disrupting legitimate business use.

ECIH guidance stresses layered insider threat defenses combining policy, monitoring, and enforcement. DLP provides visibility and control without relying solely on user behavior, making it the most effective priority action.