Whether personally identifiable information, health information, financial data, contract information, research and trade secrets, or intellectual property — data has become a new kind of currency. And when shared inappropriately — whether by accident or intentionally — disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.
Most organizations make the mistake of focusing their data protection strategies solely on keeping the intruder out. But attackers don’t usually get in by cracking some impenetrable control; the breaches often come from someone who is already inside. Whether intentional or not, insiders cause the greatest threat to your data protection program. Fortunately, this is the threat you can do the most to alleviate.
Defeating the Attacker
Costly breaches often come from simple failures, not attacker ingenuity. An attacker can, however, be very creative if properly incentivized. In the absence of education or experience, your employees will naturally make poor security decisions with technology. This means you need to set up systems that make it easy to do the right thing.
For example, some companies rely on data classification as a way of identifying their most sensitive data — creating a common classification schema to differentiate between data that is public, internal, confidential or highly confidential. Once the data is tagged, other identity management, access controls and security boundaries between systems can be used to wall off sensitive or highly sensitive data from potential leak. Policies and procedures will be set in place that expect employees to categorize their data and tag it properly.
This is where the system begins to fall down.
Don't Push Employees into Workarounds
End-users are notoriously inaccurate in tagging their own data. For instance, when is the last time you went into the properties section of a Microsoft Office document to ensure that you had entered a proper title and keywords? For most of us, the answer is never or quite infrequently. Even with tools that assist end users in tagging, your typical employees are not compliance experts. However, employees may recognize that once they tag a document "highly confidential," it will require them to jump through hoops to work with it again. To avoid these hoops, employees may intentionally under-classify a document.
So trust your end users to appropriately identify and classify sensitive data, but verify that they are doing so. A layered approach to data classification can ensure that employees understand the policies, training and tools you're providing and are integrating them into their day-to-day tasks.
Similarly, employees will send themselves documents to continue working at home when there's no access or restrictions on the systems they need. If you're looking for an opportunity to revamp your security program, start here. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to private cloud options — such as Dropbox or Google Docs — to do their jobs.
At the end of the day, your employees will do what they need to do to get their job done. Help them by making it simple to use the systems you can control.
How Organizations can Eliminate the Threat
There's no such thing as perfect security, so adopt a risk-based approach to implement your data protection program. While this often starts with the legal and compliance team and ends with the CISO, it needs to focus on the business user.
Create a pervasive culture of security and privacy controls within your organization that allow and enable the business to use data to its full capacity. Reality is perception. Your Chief Marketing Officer isn't the only one who needs to think about building your company brand. Privacy and security officers need to be able to market their programs effectively, too.
For data management and collaboration to turn into a competitive advantage for the business, you'll need to offer timely access to data as well as multi-directional communication flow — with the right risk management filters in place. Data should be available whenever and wherever to those who need it, and not available to those who shouldn’t have access. Repurpose your compliance programs. Change the traditional view of compliance as a cost center to turn this previously untapped information into a business asset. This not only creates a quantifiable return on investment for data security and privacy programs, but also helps the company increase productivity and stay out of regulatory hot water.
J. Trevor Hughes, IAPP President, said, “Privacy is like a series of dams that we try to set up to limit the data we share as small data from becomes big data.” Technology and proper controls can help make sure the flow of information is controlled, intentional, purposeful and thoughtful rather than destructive to the greater good.
Title image by Jadon Barnes