How businesses can stem the flow of leaky data
The privacy and security of corporate data is at risk like never before. Not only are businesses faced with an ever-growing variety of security threats, from sophisticated, targeted attacks, to new zero-day vulnerabilities and state-sponsored espionage, they also need to deal with the sharing habits of their employees.
While it goes without saying that businesses need to be able to communicate freely and effectively with employees, customers and third-parties, they will always run the risk of sensitive corporate information falling into the wrong hands if due consideration isn’t given to security.
The possibility of an organisation’s IT system being breached, or of information being intercepted or accidentally leaked, means that the use of email and free file-sharing services are no longer viable options for sharing documents. And with most workers accessing corporate data on their personal mobile device, some sectors of the economy are seeing more work now done outside the physical walls of the company than inside, making it more important than ever for organisations to extend their security beyond their traditional perimeter.
Data leaks are becoming a realistic, ongoing threat to business, as highlighted by the fines imposed last year on companies by the Information Commissioner’s Office for accidental loss of personal information. Such incidents are likely to continue, generating financial and reputational damage to any business affected. So what can businesses do to bolster their IT security and file sharing services and ensure they don’t become the next company to make the headlines for the wrong reasons?
Many cases of data loss are the result of the challenges an organisation’s IT department face in managing its employees’ sharing habits outside the business. A firewall would once have maintained the corporate perimeter, meaning that it was relatively easy for IT to monitor the organisation’s internal systems and know who was sharing what information with whom.
Today though, the burgeoning BYO culture means that popular consumer tools such as cloud-based file sync and share (FSS) solutions are being used for business purposes, and these bring with them new challenges for those responsible for both IT and compliance.
Adoption and value
Picture the market for file sharing technologies as a pyramid, with its vertical axis represented by business value. Across the bottom of this pyramid is breadth of adoption. Indeed, some FSS providers boast up to 500 million users.
However, while these millions of users may be saving themselves time and improving their own personal efficiency, it’s possible that using these free FSS services in the workplace is creating a different set of problems for others within their organisation.
Protocols around which users should have access to specific information, for example, will alter over time, especially when employees join, leave or change role. Managing these protocols can swiftly become a logistical headache for IT and compliance teams, and the implementation of policies to protect intellectual property (IP) and against data loss becomes a greater priority the more the use of cloud
FSS services increases.
At the pyramid’s peak is where you’ll find the niche solutions, whose more focussed adoption rates are typically aimed at tackling more clearly defined business problems. These tools provide greater value to highly-regulated organisations such as those in the banking, law or pharmaceutical sectors by allowing them to more easily track information, cut down on paper usage, and access the most up-to-date information available. Increased efficiency in sharing information in a pharmaceutical trial, for example, can lead to a product spending an extra month in market before its patent expires.
It’s crucial for a business to be sure that any content sharing solution used in the workplace has the strongest possible capabilities for protecting information shared. At the same time, it should avoid introducing friction that would impede users in their day-to-day work.
Employing technologies such as Information Rights Management, for example, will make it easier for an organisation to manage access to documents and protect its IP beyond the corporate boundary.
For further confidence, it’s worth considering the addition of specific permissions such as enforcing a time limit after which it’s no longer possible to view a document – even if it’s already been downloaded or shared.
There may be occasions when, for legal reasons, a government authority requests specific information on a customer from an organisation’s cloud service provider, a situation which may cause tension between all interested parties.
A solution such as Customer Managed Keys (CMK) can give power back to the information owner. By giving a customer exclusive control of the encryption, the owner can ensure their data remains secure and under their control, regardless of physical location. The service provider becomes unable to decrypt the data or grant access to third parties if the owner choses to disable the keys.
Businesses continue to feel the impact of threats to their sensitive corporate and customer information. The effect that breaches, leaks, and data exfiltration can have on a company’s reputation and its bottom line means that IT security should now be a very real concern for its board of directors and risk functions as well as internal IT.
When considering a company’s security policy and procedures, it’s worth both IT and the C-suite bearing in mind the need for employees to be able to quickly and easily share information with peers and third parties. Rather than relying on a couple of brief and forgettable sentences on safe information management in an employee policy manual, organisations should take control over the wealth of sharing tools being brought into the workplace.
By offering employees a robust and secure alternative, and giving guidance on how to apply the right controls over the information they’re sharing, an organisation can avoid introducing friction into vital business processes, while ensuring that one of the business’s most valuable assets – its information – remains protected.