tandem paragliding
PHOTO: Eun-Kwang Bae

It’s impossible to completely eliminate risk. This holds true in any situation, including managing data and collaboration in the cloud. However, every organization must do whatever it can to reduce risk to the furthest extent possible, especially as security and privacy incidents rise in frequency and severity.

The consequences of a data breach include not only the regulatory fines and legal expenses, but also the cost of reputation damage to the brand as well as the lost operational opportunities resulting from the time spent dealing with the breach.

Related Article: Facebook's Multibillion Dollar Data Violation Fine Is a Wake Up Call to Every Enterprise

Operational Processes Can Create More Risk Than Data at Rest

Many organizations still rely on their trusty employee handbooks or even signed agreements in an attempt to hold their employees accountable for content security. Very few organizations have the resources necessary to train — and retrain — individuals on how to reduce risk in their specific day to day operations.

As we’ve seen in many data leaks, such as the numerous healthcare sector breaches, sometimes application development processes leave copies of data exposed. Other times, externally shared data is shared a little too loosely, for example, contractors having access to PII. Additionally, we also see people convincing others within the organization to delegate administrative access to sensitive content — like internal and external phishing.

In all of these situations, a small amount of ongoing training or process risk analysis could very well have prevented a breach from taking place.

Here are four other actionable solutions for mitigating your organizational risk in the cloud.

1. Develop and execute a strategy for process-based risk

Regularly review permissions and restrict administrative access to only those with an absolute need to have it. Restrict access and content sharing to as much content as possible, so you can reduce the burden of heavily monitoring only to the areas where sensitive content is allowed to exist. Additionally, pay special attention to where sensitive content may be exposed to large numbers of users or to external users.

Lastly, audit your employees as possible to determine how their content interaction is creating risk in your organization. Explain the importance of why these audits are taking place, and provide positive incentives and rewards to encourage proactive behavior.

Related Article: Uniting Risk Management and Strategic Planning

2. Equip security teams to handle an ongoing workload

Almost every major security regulation now stipulates businesses have “security by design.” Businesses are also required to prove they have an ongoing process, supported by dedicated employees, which monitors and corrects incidents and violations.

Unfortunately in many organizations, the security team is still just a cross-section of stakeholders from different departments who come together to make policies for the organization. But the days of being able to point to a security policy and avoid liability simply because it’s there are long gone.

Businesses need dedicated security professionals equipped with tools and resources to do the work. This will allow them to make suggestions on how to modify business processes to reduce risk and provide ongoing training and resources to keep employees up to date. Training should be as contextual and relevant as possible for employee roles.

3. Additional software alone won’t solve the problem, but it can help

Almost every cloud collaboration platform has or is soon coming out with some kind of data loss prevention tool. These tools help IT teams take action on documents based on the sensitivity of the content inside them. However, there are a few caveats on how this is done.

Cloud providers can be loathe to spend the resources it takes to frequently run search crawls across heaps of customer data and then process the actions it takes to correct existing risks. Because of this, the native security features of many cloud platforms are either slow to correct actions, lack the features to significantly reduce risk, or both.

Investing in tools that not only streamline the workload of your security team, but also reduce risk caused by content exposure and business processes across multiple platforms (as opposed to every platform's premium features), can save labor hours and reduce your software-related operational costs.

Related Article: Privacy by Design Is About to Become Law: Is Your Organization Ready?

4. At minimum, have a plan and start working on the solution now

The EU’s GDPR is already in effect. California’s CCPA goes into effect on January 1, 2020. Both of these mean organizations no longer have the luxury of waiting for some kind of data breach to be penalized for a lack of risk management and protection of consumer information.

If you don’t have security professionals who can help you adapt to the changing risk management and data protection environment, start looking now. Invest in your existing teams and professionals who may be able to champion your internal risk reduction efforts. Above all, if you’re not already, make risk reduction a priority — take it seriously and be proactive.