Security and compliance is at the top of every IT pro’s mind, yet much of that effort is focused on protecting data within the organization that’s “at rest.” While it’s important to protect all data, data in-motion is when it’s at its most vulnerable point and needs to be more of a focus of your efforts.
Data in-motion has to contend with human error, network failures, insecure file sharing, malicious actions and more. In today’s economy, almost every business has data that needs to be transferred outside protected business applications and systems to enable collaboration between co-workers, users, systems, partners and more – so simply not letting data be shared is not an option.
To remediate the security risk that’s inherent with sending data outside of your walls, companies must accept the reality of data insecurity in-motion and take proactive steps to prevent an expensive and embarrassing data breach. The first step is to accept that your company data, including sensitive data, is being sent insecurely via shadow IT. When IT isn’t involved with how data is being transferred, there are critical disadvantages, which often trigger other serious issues, such as:
- No visibility – Without visibility that allows reporting and alerts, IT teams will have no foresight into potential data breaches or vulnerabilities and can’t pass internal or external audits.
- No integration – IT teams can’t automatically extract data from unauthorized systems to other established process.
- No automation – The manual process of ad hoc transfer and sending the right data to the right person at the right time unnecessarily slows down multiple departments.
To prevent this risky activity, here are three best practices for securing your data-in-motion:
Restrict cloud sharing/alternative transfer methods
Cloud-based apps, such as Dropbox and Google Drive, allow individuals to bypass the IT and procurement departments entirely – creating shadow IT. The downside is that these applications often don’t meet corporate standards for data protection and encryption and hinder IT teams from protecting the company’s data by cutting off their visibility. Often times, employees don’t even realize that this type of activity increases the risk of security breaches and data loss.
Not only does unauthorized cloud sharing/alternative transfer methods put your data-in-motion at risk for a breach, it also might lead to lost or accidentally misplaced data and the inability to comply with data privacy and protection legislation. This, in turn, could leave companies liable for fines and even prosecution.
Identify critical assets and vulnerabilities
The biggest component of securing data-in-motion is managing risk by recognizing the frequency and methods putting your company at risk. Start at the most basic components of your data’s security lifecycle to classify departments, data, and people. Set priorities on how to ensure security of all critical assets and vulnerabilities.
Implement security framework for data
One of the most common reasons that employees engage in activities that put their data at risk is a lack of clear IT policies. Look to industry standards such as PCI, HIPAA, GDPR, ISO 27001 to implement security framework for your data. The best way to secure data-in-motion is to move to a multi-layer plan.
In my experience, the following data transfer requirements are crucial: end-to-end encryption, strong authentication, automation of file based tasks, rules and policy management, user Ad Hoc secure file transfers, guaranteed delivery, integration with existing security controls, tamper evident audit trail, monitoring of all file transfer activity, exception notification, automated report creation and distribution, and high availability and disaster recovery.
Building a data security in motion plan is much more than just encryption but it isn’t as daunting as some IT teams may think and awareness is the first step. Spend some time evaluating how your company treats data-in-motion and implement processes and systems that ensure the safe transfer of your sensitive data.
Take action today with a simple three step plan:
Risk management – Get top level approval and start with the most critical threats. It’s all about recognition of risk and planning.
Control framework – Find out what technologies your users are utilizing and look to industry standards such as PCI, HIPAA, GDPR, etc.
Technology, training and processes – Implement plans based on priorities and set up a clear, easy and secure system for data-in-motion security.