Data is the crown jewel of an organization – its high value must be protected at all costs. Data fuels the modern-day economy; the work of the present and the work of the future demand that we share it more than ever before.
But while data mobility is reaching new horizons, many of the controls to mitigate the risk of data exposure still rely on traditional protection – a patchwork of complexity that is the enemy of security. In this post, we explore some of the common security pitfalls that organizations face while guarding against data exposure. It is still incredibly easy to lose data by direct attack, simple mistakes, and negligence. Some of these common pitfalls can include:
- Loss or destruction of endpoints
- Using consumer-grade collaboration and file sharing tools
- Transferring files over insecure media including USB drives
- Emailing sensitive information to personal email accounts
- Social engineering (i.e. phishing) – the human factor and malware
Let’s start by taking a glimpse at a typical enterprise. As you can imagine, there is technology sprawl – application sprawl, network sprawl, and more recently cloud sprawl. We use services built on multiple cloud infrastructures and leverage many SaaS apps. These are used in conjunction with legacy (yet business critical) and custom applications built on-prem in the last 25 to 30 years. The result is personal and business data sprawled across a matrix of devices and locations. The traditional enterprise perimeter – the castle and moat – where IT is in complete control has almost completely eroded. The industry’s response has been to fill each gap and use case with a slew of security products, each with its own unique policy and capabilities and limitations. Together, this complexity, an increased attack surface, and a loss of IT control equates to a greater security threat.
With new regulations such as the EU General Data Protection Regulation (GDPR), data protection, specifically customer personal information, takes on a new set of requirements as discussed in our recent GDPR whitepaper.
In the global study from Citrix and The Ponemon Institute, we discovered that:
- 64 percent of respondents say their organization has no way to effectively reduce the inherent risk of unmanaged data (e.g. downloaded onto USB drives, shared with third parties, or files with no expiration date)
- 79 percent of respondents are worried about security breaches involving high-value information
- 52 percent of respondents do not feel that their security infrastructure facilitates compliance and regulatory enforcement with a centralized approach to controlling, monitoring and reporting of data
The nightmare scenario may be more sinister than simple data theft for economic gain. The next frontier may very well be the “weaponizing of data”- leaks, extortion, and blackmail.
Bruce Schneier discusses the concept of “Organizational Doxing“:
“Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it”
But more elaborate are potential attacks on data integrity as identified in the Senate Armed Services Committee report on Worldwide Threat Assessment of the US Intelligence Community:
“Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decision making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.“
- Centralizing and keeping data off endpoints
- Containerizing and encrypting data on mobile devices
- Controlling access to data contextually
- Using file level access and control (DLP and IRM) for data in motion
- Partnering with industry leaders to protect data
At its core, the solution must give back control to IT and deliver the best balance between security and user experience. In the end, people need and want to work efficiently. If data sharing is made onerous, it creates an opportunity for insecure shortcuts, Shadow IT, and liability.