who filed the cat
File sharing software simplified employee access to documents, but also brought increased risk PHOTO: Mitch Barrie

It feels like every day we hear news of yet another major data privacy and security breach. 

Just this week, the Petya ransomware made headlines worldwide, following in the footsteps of the WannaCry attack in May, which infiltrated US federal agencies. While the scale of the damage these attacks caused remains to be seen, all organizations should take these breaches as a sign to ask the following question: How do you know what you have lost in a breach if you don’t know what you hold?

Who Is Responsible for Your Organization’s Data?

Almost every employee today contributes content to their workplace — much of it landing in uncontrolled file shares. The constant influx of new content brings with it new risks: Legal systems worldwide are clamping down and demanding greater compliance, particularly on IT systems, making it essential for organizations to quickly implement compliance and risk management protocols. 

As document repositories' footprint continues to expand, it is imperative that enterprises align these systems with existing compliance policies. The lack of control and limited visibility into these file shares is causing growing concern among compliance officers. File shares can potentially expose sensitive or classified information like personally identifiable information (PII) or otherwise non-compliant content that needs tighter control.

Organizations provide these tools to help information workers use data quickly to perform tasks, but they’re not accompanying these tools with the right information or training to do so safely. Who is ultimately responsible? 

No matter which individual or team in the organization is responsible for protecting sensitive information and protecting your company from a data breach, if something bad happens, everyone is in the same sinking ship. So, from my perspective, everyone in the organization is in some way responsible for data protection.

The Need for File Analysis

Once upon a time, everyone who placed a document on a file share knew what and where it was. But for most organizations today, that is far from the truth. These file shares contain a treasure trove of undiscovered information assets, duplicative content and data that are putting the organization at risk. 

Ignorance is never the answer, so you need to understand how your business users are managing sensitive data today to properly remediate and educate going forward after a system cleanup.

This is no small task, but it offers security and privacy professionals a tremendous opportunity to help the rest of the organization collaborate and innovate in ways that increases safety for the organization, but also for customers, partners and external vendors. Essentially, it comes down to ensuring those who should have access do have access to information, and that it is protected from those who shouldn’t.

Organizations must also look at data as it is managed throughout their information gateways. At rest or in motion, data flows through file shares, websites, web applications, SharePoint sites, communication systems and social platforms. By thinking holistically about managing compliance as well as maintaining visibility, data classification and control as information moves about the organization, then the walls to your information become less penetrable.

By conducting file analysis — discovering, mapping and classifying the unstructured data on file shares — organizations can make more informed decisions regarding which data to keep and remove. This optimizes the use of existing storage repositories and the transition to new collaboration platforms.

The Business Benefits of File Analysis

Conducting this type of analysis helps you address the following concerns:

  • Exposed sensitive information: Find any privacy or information security violations, as well as any gaps in permissions
  • Identify and tag files with key information: Find out file type, ownership, size, age and location. You can then tag files to allow for automated classification
  • Enforce classification: Automatically classify content with embedded metadata, and resolve inconsistencies between user-created and automated metadata
  • De-duplicate and declutter: Remove duplicates and expired content that not only consume storage, but increase your exposure to risk and make it harder for users to find what they need.

Organizations should use a combination of policies and technology to make information available for those with proper access. Ensuring appropriate and limited access to highly sensitive data (such as PII and Protected Health Information) is critically important. 

Simply put, establishing the difference between what can be shared and what should be shared is key. The right technology not only enables information workers to do their jobs correctly, but verify that they are doing so — across every single information gateway your organization utilizes.

So, what’s your next move? It’s time to create a data privacy and security playbook that is both automated and targeted. Data-aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense and a defensible strategy for data destruction.