It’s undeniable, in the wake of the high-profile breaches of 2022/23, Cyber Security leaders have been asked more questions about their data security strategies than ever before.
As such, The Missing Link has been asked to assist more companies than ever in understanding their data risk posture and implementing Data Security Controls. This short thought piece will document the key challenges I have seen Security Professionals struggling with and some potential solutions and strategic thinking you should consider when engaging with the board.
Data Security, Data Protection, Data Loss, Data Leakage or Protective Data Security, it doesn’t matter what you call it, it is complex. Many organisations have made significant investments in addressing the problem, yet here we are.
Every week, we learn about a new customer or employee data breach. So, where should we start? Irrespective of your existing investments, it is critical to begin with your data.
The Privacy Problem
The present catalyst: Thanks to the unprecedented impact of the Optus and Medibank breaches, business executives are asking questions such as:
- What data do we have?
- Where is it?
- How long have we had it?
- Who has access to it?
- How do we regain control of our data?
Make no mistake; these are not easy questions to answer. Even organisations with good data governance practices need help managing the proliferation of data across stores. Your users move and store data in more places than ever, most of which are SAAS applications, and many are unsanctioned.
If you are reading this article, there’s a good chance this topic is top of mind for you. Perhaps you’ve been asking the same, or one or more of the above questions have been asked of you? Moreover, perhaps you are seeking reassurance that the data you think you have is precisely where you think it is. An important first step is to begin by scanning your repositories and producing a “Data Risk Assessment”.
Many of our customers face the same challenge, and increasingly, what they think they know isn’t always the case. This is one of the most common exercises The Missing Link conducts on behalf of our customers. With the aid of the industries’ leading technologies, we capture and document the exact Data Risk Profile for organisations, specifically answering the above questions. The information in this report assists our customers in 3 ways:
1 – Quick win remediations such as excessive retention and over-permissive access rights
2 – Automatic tagging of data (“data tags”) simplifies the enforcement of acceptable use, as covered later)
3 – Inform your new Classification Policy as discussed in the next section.
Articulating the exact problem is essential when building your Data Security business case. Let me be clear here: Data Security is an expensive problem; significant investments in technology, time and resources will be required. If your board members receive the message, “She’ll be right”, you will unlikely receive their backing to tackle the problem head-on.
The Data Classification Problem
Ask yourself this: does my company’s Data Classification Policy make sense?
Most companies have a classification policy; it is a requirement of standard security frameworks such as NIST CSF and ISO27000. However, most companies have taken something that they have found online or drafted a policy that resembles something out of their favourite Whitehouse drama. It almost certainly uses terms such as “Sensitive”, “Secret”, and “Confidential”. Perhaps the consummate data professional can put a ruling line over where data fits one classification or another. However, end users must interpret and enforce the use of data in line with the classification policy. If you ask a handful of your users how data should be classified, you will likely receive different answers. Depending on how they work with the data and at different times of day, you may receive different classifications for the same data set.
Now ask yourself this; what if I implemented a Data Classification Policy that was less ambiguous? What if I used “Personal Information”, “Payment Data”, “Proprietary Data”, or terms specific to your industry? Would that make more sense to a Lehman? Would that leave less room for interpretation?
Once you have developed a classification policy appropriate for your business, it is also imperative to document what constitutes acceptable vs. unacceptable use. These definitions are an essential piece of the puzzle, and it is vital that you address specific values as acceptable or unacceptable. Again, specific values are essential, leaving no room for interpretation or ambiguity. This exact behaviour is acceptable, but outside of these values is not. Having well-defined boundaries will allow you to build effective guardrails and enforcement policies.
The Data Protection Problem
It is evident that organisations have previously invested in addressing this problem; it is where the war stories come from. But what can organisations do differently to improve their Data Security Posture and ultimately realise better ROI from their toolsets? First, let’s look at some of the complaints of a traditional DLP deployment.
- DLP controls are noisy (alert fatigue, false positives, significant management overhead, etc...).
- DLP controls are complex to manage (multiple enforcement points, complex policy management/maintenance, etc..)
- Decentralised data stores (on-prem, Cloud, SAAS, managed/unmanaged applications etc.)
- Transient workforce (BYOD, work from anywhere, mobile devices etc.)
So, how do we regain control of these solutions?
First, your employees represent a significant risk to a data breach event. The OAIC’s notifiable data breach report (July – Dec 2022) identified that 25% of all notified breaches were due to human error. If you have followed the process above, we should now be able to implement practical “guard rails” and enforcement policies to protect your organisation against those events.
You must also understand where your data goes; traditional DLP vendors will discuss endpoint, email and web. However, it is crucial to understand how your users work with data during the day. For example, in a recent Netskope cloud report, they found that 85% of all web traffic is to Cloud applications. What are those applications? Are they sanctioned or unsanctioned, and can users upload to those services? Do you have visibility and control over how users interact with these?
Teachable moments are a potent tool to add to your toolkit. Users will often not breach a DLP policy if they know they are about to. Classic examples are personal vs. corporate Dropbox/OneDrive/Google Drive usage, online PDF editors, personal email and social media usage (Hotmail, Gmail, Facebook, LinkedIn, etc.), print, copying to USB or incorrect email recipient. Consider solutions that intervene when a user is about to breach your policy. Rather than raising an alert or blocking (someone must investigate the alert and decide whether action is required relating to a breach of conduct), the user could be informed of the policy and redirected to a sanctioned service, or they could be given the option to back out of the activity. Would that enforce and cultivate a better data protection culture within your organisation? Would that help you to reduce the management overhead and false positive events?
Finally, it is possible to manage these controls disparately; however, to simplify your Data Security strategy, consider a solution that will deliver central policy and event management. As with any governance practice, regular reviews and improvement cycles should be incorporated into your operations, refine your acceptable usage policy, and adjust your DLP policies in alignment with acceptable use. Doing this from a single location will not only reduce administrative overheads, but it will also speed up implementation and eliminate end-user confusion for policies being implemented differently across different gateways.
Your data is your most valuable asset, and safeguarding it with confidence comes down to having the right partnerships. Data security is a journey, not a destination, and the path to a secure future comes down to making informed decisions and having the right data security strategy. That’s where the Missing Link can help. Reach out to our data security specialists.