Looking for the best cybersecurity practices? Watch our new webinar “Bottom Up and Top Down: A Layered Approach to Protecting Sensitive Data in Microsoft 365 GCC” on-demand today!
Read the other posts in our Securing Collaboration series below:
- How to Get ISO 27001-Ready
- Oversharing Challenges in Microsoft 365
- How to Find Sensitive Content in Office 365
- Sensitive Info Identifiers in Office 365
- 5 Risk Management Challenges in Office 365
- Top 5 Microsoft 365 Security and Compliance Center Features and Tricks
- Office 365 Governance in an Always Online World
- When to Upgrade From E3 to E5 for Stronger Microsoft 365 Data Protection
Thanks to a perfect storm of events like the EU GDPR—which had already changed the entire global regulatory landscape over the past couple of years—the California Consumer Protection Act (CCPA), China’s CyberSecurity Law, the Schrems 2 decision, and a global pandemic, one thing is clear: the new normal for privacy laws will be fundamentally different going forward.
After this year of increased data breaches, heightened consumer awareness, and some very serious and ethically questionable choices from large technology vendors, one of the largest challenges we face not only in the world of cybersecurity but also in our new “data-driven society” is how we prioritize our efforts, focus our attention, and pinpoint the issues that we really need to address. How do we find the signal we have been looking for in the noise of our information society?
The reality is that the world of a security officer and security team is increasingly difficult. We’re living in a world of globalizing economies, data transfer, and ubiquitous access to everything from everywhere. Data is like water; it’s rising all around us. It flows not only within our organizations, but between companies and their business partners and vendors, as well as between consumers and their devices. Needless to say, it must be protected at every turn.
We could easily drown in a tsunami of Intrusion Detection and Prevention alerts, Log Management, Data Loss Prevention and SIEM events, (Network intrusion detection alerts, and the increasingly overwhelming array of “false positives” (incidents that may be issues).
Cyber Security and the massive never-ending stories of data breaches have captured headlines around the world. This media attention has led to increasing consumer awareness that “they and their personal data” has become the target of these cybercriminals, social hactivists, and innocent or adversarial insiders.
At the same time, Gartner predicts that by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today. When more of the world’s population is covered by modern privacy regulations, many more online businesses of all sizes will need to implement information governance, data compliance, and privacy programs for the first time.
This is a significant risk, but also an opportunity!
Whether personally identifiable information (PII), health information, financial data, contract information, research and trade secrets, intellectual property, or contract data, (and this list could go on and on), this kind of information has become a new kind of “currency” and some have even called personal information the new “oil.”
Online businesses that implement the right safeguards, technologies, and infrastructure to govern and protect this new currency will find themselves with a competitive advantage while businesses that are inefficient or lackadaisical with their data management will find themselves less relevant in the market and with consumers.
With consumer awareness and data breach fines under new legislation and at a potential astronomical figure of up to 4% of global annual revenue, the role of Chief Information Security Officer and Data Protection has been thrust into a new spotlight of Board-level attention and scrutiny. Significant breaches may be career-ending for company executives, and as this level of attention rises, so does potential reputational and financial damage to these organizations.
What Can CISOs Do?
So how does a CISO prioritize and reconsider their data protection and information security program in the context of a global organization and rapidly evaporating perimeters, employees accessing data from everywhere, and business owners convinced that “more data is always better” and that security blocks productivity?
Monitoring for potential hacks and exploits is now as commonplace as virus scanning, but this may lead some organizations to improperly rely on their existing scanning technologies while forgetting that most costly breaches come from simple failures, not from attacker ingenuity.
At the same time, it’s important to remember that “innocent actors” themselves may represent some of our weakest security links. In my experience, the most common mistake ALL businesses make when it comes to cybersecurity is focusing their data protection strategies on only keeping the outsider “out” when in fact many breaches come from an attacker who is already inside. Either intentional or unintentional, insiders may be the greatest threat to your data protection program; fortunately, they’re also the threat you can do the most to alleviate.
According to a 2018 survey, “Ninety percent of organizations feel vulnerable to insider attacks (and) the most common culprit of insider threat is accidental exposure by employees. Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact, and they often contain malware attachments or hyperlinks to compromised websites.”
So trust your end users to appropriately identify and classify sensitive data they’re handling and/or creating, but verify that it’s being done. Using a combined or “layered” approach to data classification can ensure that the policies, training, and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce.
Security isn’t about security; it’s about mitigating risk at some cost. And it can be expensive! This means that in the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive, and it becomes all the more important to understand how data, people and location weave together to create patterns across and within your organization.
While your automated detection technologies can help you build this program, it truly must be done in combination with policies, education, and measurement that organizations can appropriately balance collaboration and transparency with data protection and privacy.