Mitch Coopet, Co-Founder & Chief Technology Officer, Code42
Every week, whether it makes the news or not, companies suffer the consequences of an incomplete data security strategy. Just last week, health insurance provider Premera Blue Cross disclosed that attackers used phishing emails and fake websites to gain access to logins and passwords of employees, potentially exposing medical and financial information of 11 million customers. Credential theft is one of the most serious security threats affecting companies worldwide and in all industries, and it happens all the time.
“CIOs must make sure that whichever cloud deployment they choose is adopted in compliance with the enterprise’s needs and policies”
Historically, corporate data was stored in servers and data centers on-premises, protected behind firewalls and other digital barriers. Today, the workplace is driven by data and that data moves with employees, wherever they may work, on whatever device they may use. The notion of protecting sensitive work data by keeping intruders out of a corporate perimeter is antiquated.
Corporations need to rethink their security programs so they protect against newer, more sophisticated attacks that don’t just target one gateway into the network, but can sneak in through multiple ways. A complete data strategy embraces data as it moves with your employees on all the devices employees touch and in the cloud. Here are four suggestions for CIOs and CISOs to ensure that corporate data is secure where it lands most often the endpoints:
1. Define a Cloud Data Classification Strategy in Your Acceptable Use Policy
Take the time to define policies stating what is acceptable in terms of data consumption and storage. Do you allow cloud services? If so, which ones? What data can be stored there without violating regulations or compliance?
Classifying the data allows IT managers to determine the risk and security level that each type of data should follow. For example, you may have “red” data, or “mission critical” information, that stays on-premises for maximum security, whereas “green,” or “productivity” data,may be stored in a public cloud service, if it meets the organization’s security requirements.
When managing red and green data, a hybrid cloud which balances convenience and security may be the right choice for your enterprise as it provides on-premises protection for particularly sensitive data. CIOs must make sure that whichever cloud deployment they choose is adopted in compliance with the enterprise’s needs and policies.
2. Encrypt File Systems
Given that theft of login credentials is the most common avenue attackers have into corporate systems, encrypting endpoint device file systems is where security should start. More than three in five data breach victims pinpoint credential theft as the cause of breaches, with the most recent and notable victim being Anthem. Furthermore, consider requiring the use of encrypted USB keys as part of your sanctioned media storage policy. Finally, make sure your backup systems support suitable encryption models for your organization.
3. Gain Visibility into the Data that Resides on Endpoints
When an employee loses a device or leaves the company, the IT team needs to know what data was on the device. However, few CIOs and CISOs have this visibility: only 19 percent of IT pros know how much regulated data is on endpoint devices. This is particularly important as more and more employees connect their work accounts to personal cloud accounts, such as Google Drive and Dropbox, which increases the risk of data leakage both intentional and accidental. Continuous endpoint backup not only protects you from data loss but also helps in determining the source of the data leak or breach.
4. Empower Employees to Follow Acceptable use Policy
It’s the CIO’s job to make sure the enterprise is set up for success and that includes setting policies that don’t deny employees to use tools that they want to use, but enable them to do so while preserving data security and privacy. Too often employees use their own version of an app, or their personal accounts, which open up the corporate network to malware and attacks if the personal account or device is compromised. The reality is 90 percent of American employees use their smart phones for work, with or without the company’s permission. If employees reject the tools introduced by their IT team, the enterprise has not only wasted money, but may have also a false belief that data is secure. CIOs can get employee buy-in for policies by choosing elegant, user-friendly technology and making the policy as restriction-free as possible while maintaining security visibility.
As technology and workplace habits evolve, enterprises need to adapt to the notion that corporate data security is a moving target. When CIOs and CISOs were asked a decade ago how they addressed the intersection of security, cloud and mobility, they said, “We’re not going to allow cloud services or BYOD.” Today that just isn’t feasible, or smart. Forward-thinking executives realize that for security to work you have to follow the data. Today, the data is in the cloud and the endpoint, not just the data center.