New to Office 365? Here’s an all-access tour of Office 365’s security and governance features.
Cybersecurity, hacking, and the threat of data breaches are topics that have moved from the dark shadows of the halls of three-letter government agencies to the evening news and front-page headlines. From Marriott to Facebook, there is a continuing balancing act to sharing information that we choose to share with whom we choose to share it while simultaneously protecting information we wish to keep private.
Living in our increasingly social world has and will continue to present a paradox with personal privacy. At the same time, organizations worldwide are constantly looking for new and innovative ways to organize, transform, manage, and monetize enterprise-wide content and knowledge to facilitate collaboration and reduce costs. The issue is that these central information repositories have the potential to become a treasure trove of sensitive and unprotected information within many enterprise organizations.
This trend makes these environments a potential target for cyber threats and attacks. Breaches often stem from incorrect assumptions about data protection, including a false belief that “someone else” is responsible for protecting data at different stages of its existence. Security and data protection aren’t just a job for your CISO and CPO; they’re everyone’s responsibility every day. If security and privacy practitioners get a good sense of what the business is doing today and know how users are interacting with data as part of their jobs, they can better determine policies and procedures and implement the appropriate technical controls.
Rising to the Occasion
While it’s possible to build better and better systems, it’s also possible that those systems can be compromised. Just as there is no such thing as perfect security, there’s also no such thing as a perfect policy, procedure, or technical control. The closest thing we have to this today is a person, their data, the context of that data, and the discipline and tools required to monitor it properly.
To that end, one of the largest challenges we face not only in the world of cybersecurity but also in our new data-driven society is how we prioritize our efforts, focus our attention, and pinpoint the one issue out of a million that we really need to address. In other words, how do we find the correct signal among the noise of our information society?
The reality is that the world of a security officer and security team is increasingly difficult. There’s so much to account for that it’s easy to feel overwhelmed. This includes things such as:
- Intrusion Detection and Prevention alerts
- Log Management
- Data Loss Prevention and Security Information and Event Management (SIEM) events
- Network intrusion detection alerts
- Any “false positives” that might pop up
Growing Societal Awareness
Cyber Security and the massive and never-ending stories of data breaches have captured headlines around the world. This media attention has led to increasing consumer awareness that their personal data has become the target of these cybercriminals, social hacktivists, and innocent or adversarial insiders.
With consumer awareness and data breach fines under new legislation like the EU General Data Protection-now at a potential astronomical figure of up to 4% of global annual revenue— the role of Chief Information Security Officer and Data Protection has been thrust into a new spotlight of Board-level attention and scrutiny. Significant breaches may be career-ending for company executives, and as this level of attention rises, so does potential reputational as well as financial damage to these organizations.
Next Steps
So, how does a CISO prioritize and reconsider their data protection and information security program in the context of rapidly evaporating perimeters and employees being able to access data from anywhere? More difficult still, how does a CISO deal with business owners focused on the misguided conception that “more is always better” when it comes to data, and that security blocks productivity in a data-driven economy?
Focus on preventing failures. Monitoring for potential hacks and exploits is now as commonplace as virus scanning, but it can be a mistake to rely on your existing scanning technologies. The majority of costly breaches come from simple failures rather than attacker ingenuity.
Prevent “innocent actors” from leaking data. Every day employees in your organization may represent some of your weakest security links. In my experience, the most common mistake ALL businesses make when it comes to cybersecurity is focusing their data protection strategies on only keeping the outsider out; in reality, many breaches come from someone who’s already inside. Fortunately, this is the threat you can do the most to alleviate.
One of the most prominent types of leaks come from phishing attempts. According to a 2018 survey, “Ninety percent of organizations feel vulnerable to insider attacks (and) the most common culprit of insider threat is accidental exposure by employees. Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact, and they often contain malware attachments or hyperlinks to compromised websites.”
Trust and verify. Trust your end-users to identify and classify any sensitive data that they’re handling, but verify that they are doing so appropriately. Using a combined or “layered” approach to data classification can ensure that the policies, training, and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce.
