Intralinks on the state of corporate information security
The risk to corporate data has never been so great. Businesses are fending off an ever-growing range of security threats, from state-sponsored espionage and targeted attacks to new zero-day vulnerabilities, while also being forced to address their employees’ sharing habits.
Nevertheless, businesses must be able to communicate freely and effectively with both internal and external parties. Yet, this vital communication does increase the risk of sensitive corporate information falling into the wrong hands if not handled in a sufficiently secure manner.
The risk of breaches, interception or accidental leaks means that free file-sharing services and email are no longer considered viable methods of sharing documents. Now that the majority of employees can access corporate data on mobile devices, it has never been so important that enterprise security measures are extended beyond the traditional perimeter of the organisation.
Data leaks are a real and persistent threat to businesses. The risks have been highlighted by recent incidents where the Information Commissioner’s office (ICO) has stepped in to impose fines on organisations for accidental loss of data. Incidents like these are bound to continue, damaging the affected businesses in terms of both finance and reputation. So how can businesses ensure they have the right policies in place when it comes to IT security and file sharing? And how can they ensure they don’t become the next business paying out to the ICO?
Data loss is often the result of IT struggling to keep track of users’ sharing habits outside of the office. Not that long ago, a corporate firewall could ensure that all sensitive data was kept secure within IT’s control. The steadily increasing trend in BYOD policies means that IT now struggles to know who is sharing data and who they are sharing it with. Popular consumer tools including cloud file sync and share (FSS) services are now being used by employees at work, making life difficult for both IT and compliance departments.
If we imagine the FSS market as a pyramid, with the vertical axis representing business value. At the bottom of the pyramid is a wide breadth of adoption, where some FSS providers can now declare up to 500 million users. While these millions of users are improving their own efficiency and saving themselves time, they are creating difficulties for others within their business. One reason is that the protocols for accessing information change over time, for instance when employees join, move or leave the company. This flexibility is important but it can become difficult for IT and compliance teams to manage these protocols and implement the correct policies to protect intellectual property (IP) against data loss if employees are using their own cloud FSS services
More niche solutions are located at the pyramid’s peak. Their more focused adoption rates are usually aimed at solving more clearly defined business problems. These solutions provide a higher level of business value to highly-regulated organisations, enabling them to track information more easily, cut down on paper usage and allow access to the most up-to-date information available. They promote increased efficiency in sharing information which could, for example, shave a month off the time it takes to run a pharmaceutical trial, thereby ensuring the product can spend an extra month in market before the patent expiry date falls.
Businesses should ensure that any file-sharing platforms have the strongest possible capabilities to protect any information shared, while ensuring the user experience is seamless. Technologies such as Information Rights Management (IRM) make it easier for a business to manage document access and protect IP outside the corporate boundary. For increased confidence in document security, businesses can add specific permissions, such as applying a time limit after which the user will no longer be able to view the document– even if it’s already been shared or downloaded.
For legal reasons, businesses within highly regulated industries, such as banking or the pharmaceutical sector, need to be completely confident that sensitive documents detailing information about customers, contracts or medical trials remain secure. It’s also worth considering that if certain information needs to be retrieved for a legal issue, it is much easier to find the documents in question if they are not spread across 50 different systems. Compliance issues like this must be taken into account when choosing FSS technology for the enterprise
Ownership can be key for businesses operating across multiple countries where regulations vary. If a government authority requests that an organisation’s cloud provider supplies them with certain data on a customer, this can cause difficulties for all parties involved. A solution such as Customer Managed Keys (CMK) helps to ensure that more power stays with the information owner. With exclusive control over their own encryption keys, the owner can control access to their information regardless of its physical location. If the customer disables the encryption keys, there is no danger of the service providers being able to decrypt the data or grant access to another party.
With data leak threats continuing to impact businesses, IT security is becoming a huge concern: not just for the IT department but also for the board of directors. When reviewing company security policies, both IT and the C-suite should remember that employees need to be able to work efficiently, which means being able to share information with their colleagues both inside and outside the organisation quickly and easily.
Businesses can no longer rely on a few short sentences in the general employee policy handbook to provide guidance on safe information sharing. Organisations need to take control over the huge variety of sharing tools being introduced to the workplace by employees. By giving proper guidance on how to apply the right security controls over the documents being shared and introducing a secure, friction-free sharing process, organisations can ensure that their information remains secure against leaks.
By Richard Anstey, CTO EMEA, Intralinks
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.