Information Protection Via Hot Glue Gun? Thankfully, We Can Do Better

The National Cyber Security Alliance marked another Data Privacy Day around the world yesterday (held every year on January 28), bringing together “businesses and private citizens to share the best strategies for protecting consumers’ private information.” After another year of headline-grabbing breaches (think Equifax, Verizon, Uber, to name a few), with more and more data going to the Cloud, and with the stringent regulations of GDPR just on the horizon, education and awareness are more important than ever if we’re going to adequately protect people’s information.

Of course, it starts with trust. And 68 percent of consumers say they don’t trust brands to handle their personal information appropriately. At the same time, enterprises are constantly contending with “That Guy”—you know the one. This is the employee whose dead-simple passwords are stored in an unencrypted file or scribbled on a sticky note under his keyboard. The guy who forwards work stuff to his personal email and uses scores of unsanctioned apps.

Challenges all around. But understanding the scope of the issue is step one, and as Symantec’s annual Internet Security Threat Report noted last year, many organizations underestimate the issue: at the end of 2016, the average enterprise organization was using 928 cloud apps. But most CIOs thought their organizations were only using around 30 or 40. That’s a pretty stark gap in terms of understanding the scope of the challenge.

The good news is awareness is growing, and forward-thinking companies have honed-in on the key question: how do you protect huge volumes of business information when your employees are using hundreds of cloud apps (often connecting via personal, unmanaged devices) and bypassing your data center and VPN in the process?

In other words, how do you protect the organization from That Guy (and actually protect him in the process, too)?

Here are some best practices.

It’s time to shine a very bright spotlight on shadow data.

Symantec’s most recent Shadow Data Report found that 20% of files and 29% of emails in cloud apps were “shared broadly”—meaning they were sent to the entire organization, an external party or shared publicly to anyone with access to a link. That puts a potentially massive amount of sensitive data at risk.

Shadow data compromises all of the unmanaged content that users are uploading, storing, and sharing, sanctioned and unsanctioned apps alike. Even if an organization were to successfully limit employees to the use of secure file sharing apps, it still wouldn’t mean they have fully mitigated the risks of data loss or compliance violations. Smart data governance practices such as identifying and categorizing all cloud data, then enforcing policies around its use, are the only way to stop the leakage of business-critical data. 

You also need to protect your cloud apps and data from any device, any user, and any app—both on and off-prem—without having to build a separate island of security in the cloud. To accomplish this, you need a cloud access security tool that gives you visibility into the shadows, one that can find all of the files that users have uploaded and synched to cloud storage. In short, you also need a solution that can automatically encrypt files from DLP policies and allow decryption with identity triggers, from anywhere. 

Your data is only as safe as your weakest password.

Users choose convenience over security—whether it’s storing passwords improperly or creating weak passwords and using them everywhere—and that makes it easy for hackers. The password-only approach is broken, and the general trend is in favor of multi-factor authentication leveraging mobile devices to validate a user’s identity. With an easy push notification to their smartphone, users can push a button to verify their login request and get access to business applications—convenient and secure!  So, while passwords (when created and stored correctly) still play an important role in security, it’s absolutely critical to have the strongest multi-factor authentication tool available.

Don’t bring a hot glue gun to an Information Protection fight.

When it comes to quickly sharing data with a colleague, sometimes a USB drive seems like a fast and easy solution. No email size limits or Wi-Fi issues to fret about and the like. But a USB-drive isn’t typically the most secure. How many people go back and delete the content once transferred, or even encrypt it to begin with? (We know That Guy doesn’t!) Imagine the damage that could be done if that USB stick were to be lost or stolen or otherwise fell into the wrong hands.

So, what can be done? Well, true story—I’ve actually seen companies use a hot glue gun to gum up users’ USB ports so they’re unusable. Somewhat effective, but not exactly popular!

A different approach is to recognise the reality of user behaviors, and to put in place safeguards to protect the data. Start by using data inspection tools to determine if that data is sensitive. Then, you have options. You can block that data transfer, or you can alert the user to make sure it is an intentional action. Even better, automatically encrypt the USB device or file so only trusted users can open it. 

Bigger picture, Symantec recommends that organizations move to an “information- centric security model,” which is fundamentally about protecting data assets without hindering business owners. A fully configured and maintained information-centric security approach provides data protection that follows your information and is transparent to end users.

At the end of the day, That Guy is just trying to do his job—and will probably never adopt all of the best practices that security experts recommend. But for the enterprise who implements centralized visibility and control, together with best-in-class information protection technologies, it’s possible to discover, monitor, and protect your confidential information wherever it’s stored and however it’s used. No matter what That Guy does.

(To learn more about Symantec’s information-centric security model and how to implement one for your organization, check out the IDC white paper here.)