October is National Cyber Security Awareness Month. It’s also the time of year when your organization finalizes its roadmap for next year, so there’s no better time to conduct a data breach preparedness assessment.
Even if you already have a data security strategy in place, it’s critical to take stock often of what’s working and what isn’t and arrange changes to further mitigate your risk of a costly and embarrassing breach or leak. What might have been sufficient to keep your data, documents and files confidential and under your thumb a year or even six months ago may not be enough now. New threats and advancements in threats to your data security crop up all the time and your strategy needs to adapt accordingly.
There are three key points to address early when conducting your data security assessment. First, you want to determine whether the tools you are currently using to share, distribute and collaborate on documents, data and files give your team the features they need to go about business as usual in a secure environment. Second, you’ll want to evaluate whether your vendors and partners are willing and able to help you keep your data safe and what you need to do if they cannot or will not do so. Third, look into whether you’re prepared to respond to the inevitable attempted or successful data breach or leak by locking down data no matter where it is, revoking access and compiling a clear and full audit trail.
Does your team resort to consumer-grade platforms to make life easier?
A very common source of increased data leak and theft risk is the use of consumer-grade platforms like Dropbox, Google Drive and built-in email attachment systems for sharing and collaborating on documents. Employees often turn to these platforms either out of a lack of a better, more secure option or simply because they are much easier to use than many secure alternatives.
Even if you have a secure platform in place, such as a VPN or FTP server, if it’s not easy to use, employees will opt for sleeker and simpler alternatives that expose your documents, files and data to unnecessary risk. It’s a common assumption among employees and executives that platforms offered by Google, Dropbox, etc. are secure, or that these companies actively work to protect your data. This simply isn’t true. While it may be difficult to hack into a Google server, it’s not at all difficult to steal a user password and use it to gain access to Drive or Gmail or for an employee to accidentally share a Google Doc with someone who shouldn’t see it and not realize their mistake until it’s too late.
These platforms are also risky because IT has no real control over how they work or what employees do with them. For example, if an employee is fired, quits or simply intends to steal company data, they can easily clone information from a company account to their personal account. By the time IT contacts Google in an attempt to shut things down, that person will have already created untraceable copies of the information that are out of everyone’s control.
So it’s important that you use a secure replacement for VPN, FTP servers, Google Docs and standard email attachment systems that is so easy to use and rich in features that employees will not need to revert to free platforms and open the door for breaches and leaks. Look for a file-centric system that features secure data rooms (like Dropbox’s interface) that mimics the behavior of your native operating system file navigator. Employees will be able to pick up a system like Vaultize, for example, without much training at all, meaning they won’t need to find ways to circumvent it.
Are your partners and vendors doing their parts to protect confidential data?
It’s fairly easy to determine whether your partners and vendors are doing their parts to keep documents out of the wrong hands. You may be able to just ask them which system they use to track, control and protect data. If they seem clueless, you’ll know that the onus, for the time being, is on you to protect your information. You can also determine how secure your data is in their hands by looking at how they share information and documents. If they’re just emailing you important contracts or data in simple email attachments, it’s a big red flag.
But convincing partners and vendors to adopt your security doctrine can be tough or impossible. What you need to do instead is use a platform internally that allows you to maintain control over documents and gain insight into what’s being done with them even after they’ve left your home network. With the proper system that wraps documents and files in encryption and replaces email attachments with secure links (like Vaultize), IT admins will be able to enforce a multitude of controls over documents even after they’ve gone off to partners and vendors. With Vaultize, for example, admins will be able to:
- Control the countries from where the shared files can be accessed
- Control the IP addresses from where the shared files can be accessed (blacklist or whitelist)
- Control the days and time during which the shared files can be accessed
- Protect the files with passwords and/or one-time-passwords (sent via text/SMS or email)
- Set expiry on the files (time based expiry or violation based expiry)
- Set default permissions associated with the shared files
- Set DRM rights associated with the files for online as well as offline access.
All of these controls stay in effect for the entire lifecycle of the document, even after it’s changed hands. And you can do more to protect confidentiality, like forbid printing and taking screen shots. And of course you can remove all or some access to a document at any time on any device and even wipe the file from the target device, regardless of who owns it, if you fear it may be at risk for theft, leak or if it’s gone to the wrong person.
Are you able to tell where your data’s been and when it was there?
Last but not least, ask yourself if you can compile a complete and easy-to-read account of where your sensitive documents and data have been from beginning to end. That means being able to tell when a document was first encrypted or shared, when it changed hands and who shared it and received it and when copies were made, among other events.
Being able to do this is essential if you’re in an industry with strict compliance requirements like finance, healthcare and legal. When regulators come knocking, you don’t want to be scrambling to put together your audit trail reports. Using a platform like Vaultize allows you to automatically compile complete audit trails as documents are created and shared.
But keeping complete records of a document’s history is critical even if you’re not subject to rigid industry regulations. Simply put, for legal and financial reasons, you will need to know what went wrong when data is leaked or stolen. And notice that I say when data is leaked or stolen, not if. In today’s online, BYOD (bring your own device) business world, it is almost inevitable that in some way your data will go astray. Hence the importance of maintaining a complete audit trail of all of your important documents so you can shut down access to compromised items quickly and therefore minimize damage and identify where a breach or leak occurred so you can patch the hole.
Most platforms don’t allow you to automatically track and record document movement, but it’s an essential feature to look for as you continue to develop and improve your data security strategy. Vaultize’s platform not only tracks your documents for you, it allows you to easily version each stored document so you can review how documents have changed, revert to previous versions, or provide proof of iteration if your industry regulations require it.
Cyber security threats are getting worse and will continue to do so in 2017. Breaches are getting bigger and costlier. Global damages from data leakage will be in the billions next year. National Cyber Security Awareness Month is a convenient reminder to make sure you’re prepared and doing everything you can to avoid making the front page as the victim of the next big leak. Choosing a data security platform that’s easy to use, allows you to control documents in your partners’ hands and compiles a defensible audit trail automatically is one big step to staying ahead of threats.
We’d love to talk to you about your current data security strategy and answer any questions you might have about better protecting yourself. Please contact one of our solutions managers if you’re concerned about your risk.