In today’s cyber world, it is much easier for files containing sensitive, regulated or confidential data to be accidentally exposed or purposefully exfiltrated. There are a lot more ways for authorized personnel to use and share files, for network share resources to be unintentionally exposed, for files to be readily emailed, and for hackers and malware to potentially obtain files. These factors have culminated to create a new data leakage frontier.
No matter the industry, file security data leakage risks are becoming all too prevelant. The last two years brought an onslaught of successful phishing attacks targeting W-2 documents with employees’ tax and identity information from dozens of major, household-name organizations across industries. Companies must be conscious of important documents like these circulating internally and externally.
Retail, for example, is an often seasonal field. The onboarding and turnover of employees and temporary workers creates a steady stream of human resources documents that are prime targets for hackers. Manufacturing organizations exemplify the collaboration risk as well. Much of manufacturers’ intellectual property lies in files shared with global suppliers, partners, and contractors– files that may contain highly sensitive CAD designs, blueprints, defect rates, formulas, performance information or manufacturing plans.
Collaboration enables many businesses to succeed, but it is an unfortunate reality that it also introduces significant data protection and privacy compliance issues that risk and compliance managers should be highly attuned to.
With this in mind, here are a few trends in data security to keep an eye on in the coming year.
- New E.U. Privacy schemes for U.S. companies
The new Privacy Shield replaces the old Safe Harbor to help U.S. companies comply with European privacy requirements for shared data. This will all be replaced in May 2018 by the E.U.’s General Data Protection Regulation (GDPR). The GDPR applies to any organization holding or processing personal data of E.U. residents, which means that any company doing business with or in Europe probably will be affected. And the penalties for violations of GDPR are serious, ranging from about $10.5 million (€10 million) or 2 percent of the company’s worldwide annual turnover to $20.9 million (€20 million) or 4 percent of turnover for more serious violations.
This gives organizations a strong incentive to prevent data leakage at any point within the enterprise or in the supply chain. They cannot depend solely on encrypting databases and network links.
- Misinformation and fake news
Propaganda and information warfare are not new, but their role in the 2016 presidential campaign demonstrated just how powerful a weapon information can be. Misinformation can be effective and easy to use, and we can expect it to be a common feature in public discourse in the coming year.
Information that is stolen, leaked or otherwise exposed can be manipulated and used for unintended purposes. Even accurate information can be misused to damage or embarrass the source organization or a third party. If it is not accompanied by the appropriate controls, information in the hands of an outsider can be edited or altered to create a false impression. Data today must be protected not only as a valuable asset, but as a potentially dangerous weapon.
- The insider threat
This threat also is not new. But as perimeters disappear and information becomes more mobile, the definition of an “insider” has become much broader, extending beyond your own employees. Contractors, suppliers and customers can all have legitimate reasons to access your data. All of them represent an insider threat, either from the potential for malicious activity or from simple human error.
All of these people—and increasingly, machines as well—are using your information. This makes it imperative that information be secured throughout its lifecycle, in use as well as in storage and transmission, and regardless of who is using it.
According to an Enterprise Management Associates (EMA) research report, State of File Collaboration Security, more than 50 percent of respondents experienced frequent file data leakage incidents. This survey of mid-tier to large companies in North America revealed that more than 84 percent of respondents believed that their organization had only moderate to no confidence in their security controls and auditing capacity to secure files.
Interestingly, many businesses don’t realize that the threat of file data leakage and actual incidents not only adds reputational risk but introduces compliance liabilities ranging from fines and loss of business transactions to possible imprisonment as well.
Plus, the survey showed that more than 90 percent indicated that potential file exposures due to files leaving cloud-based repositories and mobile containers were the most significant inhibitors to cloud-based file collaboration.
As companies invest in new enterprise and cloud-based content management systems, security has to be as important a consideration as usability. Within an on-premise or cloud repository, organizations can expect comprehensive file governance including provisioning, rights management, auditing and retention.
So how can an organization protect its documents and take measures to further reduce the risk of file data leakage as documents leave the secure respositories or containers? And how can they have assurance that controls are intact?
There is a variety of file security controls that organizations are applying to reduce data leakage risks due to the diversity of users, networks, devices and applications that can be used to share files: Email file security, Network file share access control, Secure File Transfer Protocol (SFTP), File application invoked encryption, Mobile Device Management (MDM), Enterprise and Cloud-based Content Management, and Digital Rights Management (DRM).
Of the file protection methods listed above, however, the majority lack necessary persistent access controls, usage controls or means for successful adoption by users outside an organization. Many of the controls simply involve allowing secure network access to a file, or the encryption and decryption of files between authorized users. Therefore, once the recipient has local access to the file, other controls, such as restricting means to further prevent sharing of the file, limiting the use of the file, or tracking the subsequent access and use of a file are no longer active. Nor do these systems have a means to delete a file after it is local, having been removed from a repository or container. File-based digital rights management (F-DRM) solutions address many of these file collaboration control limitations and more.
F-DRM platforms allow organizations to reduce file data leakage risks through file encryption, access and usage control. As these approaches are skeptical to file storage, distribution and content management, they can work with popular applications, devices, cloud storage, content management systems and collaboration tools to bolster file security. F-DRM solutions employ both strong encryption that is applied on a per file basis. Their usage controls include file traceability and often have the means to remotely delete files even after they have been distributed. As a file security overlay, F-DRM solutions can be installed for an individual, department, business project or enterprise-wide. As in other IT projects, once a control is accepted, deployment, training, usage and administration should be coordinated.
It is a matter of when— not if—a material file data leakage incident will occur in your organization. File collaboration security does not need to be an all or nothing costly undertaking. IT professionals can extend defenses today; whether through an enterprise-wide initiative or through applying these controls to specific business activities and collaboration projects. Most employees understand and want to protect sensitive information. The key is to make file security easy, intuitive and aligned to corporate policy. F-DRM solutions, when combined with other available technical controls, offer an effective and flexible means to reduce file data leakage risks across various infrastructure, collaboration methods and business requirements.
[su_box title=”About Makoto Mizuyama” style=”noise” box_color=”#336588″][short_info id=’102313′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.