There’s no going back to the simpler days. In today’s cloud-first environment, there is a heightened sense of concern about security, and the challenges managing it are greater than ever. Today, data can enter and leave an organization from a number of apps, locations and devices, making it extremely vulnerable to security breaches. Tightening security in this porous cloud-based environment is the daunting task that CSOs must face today.
How Did We Get Here?
Consumer tech has had a major impact on the workplace. With the pervasiveness of mobile devices and cloud-based apps, the lines have easily blurred between the work and home, when and where you work, and which devices you use. At the same time, the greater push for collaboration across an organization and beyond, to partners and to the supply chain, makes communication more seamless, data sharing easier, and security more challenging.
Further complicating the issue is the rapid growth of unstructured data, which is the largest and growing data type in an organization. According to IDC Global Datasphere 2017, IDC estimates that unstructured data accounts for as much as 80 percent of the data in an organization. This data — which can come in numerous files and formats, such as text, financial transactions, PDFs, multimedia, emails, social media, and more — is easily shared, and difficult to contain and control. Unstructured data is also considered a prime and easy target for hackers to work their way into an organization.
And data breaches seem to be everywhere — from financial institutions like Equifax, retailers like T.J.Maxx, and even Hollywood studios like Sony Entertainment Pictures. In addition to these well-known targets, there are attacks that affect everyone, like ransomware, advanced persistent threats, malware, and software vulnerabilities such as Meltdown and Spectre.
Despite all these issues, the stakes have never been greater. Companies across all industries are under enormous pressure to follow regulatory compliance, such as the Health Insurance Portability and Accountability Act (HIPPA) in healthcare, the Gramm-Leach-Bliley Act (GLBA) in finance, the Payment Card Industry’s Data Security Standard (PCI DSS) in payments, and more.
So, what should you do? First, you have to unlearn a lot of what you thought you knew. Much of the old conventional wisdom no longer applies. Following are four key myths that need to be dispelled.
Myth 1: You Can Protect the Perimeter
With multiple entry points into an organization there is no longer a defined and defensible perimeter. In today’s cloud-first environment, many companies no longer own or secure the servers where the data is kept. Traditional first lines of defense, such as firewalls, unified threat management platforms, and identify management and access controls are no longer enough.
Myth 2: Breaches Are Only External
Let’s face it, today security threats come from everywhere. Even if it’s unintentional, 43 percent of data breaches are caused internally, according to a study conducted by McAfee. Whether employees use devices that are hacked, download malware, or are a victim of phishing, they could inadvertently bring security problems into their organizations. In a collaborative environment, they might accidentally share confidential data. In fact, many of the internal breaches come from executives who have access to highly sensitive information. On the other hand, there are malicious breaches caused by disgruntled employees accessing confidential information, breaching security, and creating problems for the organization. To combat all of this, focus your attention everywhere — inside and outside the organization.
Myth 3: If You Secure the Confidential File, You’ll Be Okay
You can’t count on confidential data in a file remaining confidential. It’s easy for employees to cut and paste information from one document to another or share it via email or other means without thinking twice. For example, an executive might cut and paste financial information from a confidential document and use it in a PowerPoint presentation. To address the realities of information sharing in today’s organizations, any security measures you undertake should encompass derivative works, which protect sensitive data no matter where it ends up.
Myth 4: With Proper Training, You Can Count on Employees to Keep Data Secure
Unfortunately, it’s been shown that people are not reliable stewards of confidential information. Sometimes it’s because they forget, share it accidentally, or because securing a document requires them to take an additional step. Whatever the reason, you need to implement an automated, non-invasive approach to security. Make sure it’s not cumbersome, because if it is, employees may find a way to work around it.
The reality of enterprise computing today is that we live in a “zero-trust” world, as coined by Forrester. There is no place – internally or externally – or type of data that is safe. If we embrace that truth, then we won’t be lulled into a false sense of security. We’ll realize that is up to us to protect everything, and to keep every piece of data in every format and in every place, secure.