According to Martin Sugden, CEO, Boldon James, in a world where data loss is costing organisations millions of dollars in fines, there is not one organisation who should not have data protection at the top of their agenda - especially in the current climate with workers spread more remotely than ever.
The trouble with the security software landscape today is that many solution providers are promising “one-size-fits-all” tools; something that on the surface can offer everything your organisation needs but are often too good to be true.
The challenges with “one-size-fits-all” solutions
Many businesses, when observed from the outside, can appear to have similar problems that need to be resolved. However, when you really delve into their processes, almost every medium to large organisation is unique. Each will operate against slightly different regulatory frameworks and use different tools to achieve their goals. Many will have also grown, some through acquisition, or experienced growth at different times, with the result that their equipment and infrastructure is peculiar to them.
I think the biggest single failure in large corporates is that the annual budget cycle, and the need to respond to market conditions, often makes security an afterthought. Against this background, the CISOs and CDOs are trying to combat well established would-be hackers and meet the requirements of an increasingly onerous regulatory and compliance regime. They then need to explain these issues to their senior management in order to get the appropriate funding. After all of this, you can see why there is a temptation to reach out for a labour-saving miracle cure; skipping the planning stages and going straight in with packaged products which promise the capability to do everything.
The problem with this is that they are committing large parts of their budget to a solution that can lack the bespoke tailoring needed in order to meet their specific requirements. They are also often focusing on the high-profile issues such as data theft by nation state actors (hacking) and forgetting, or ignoring, the fact that roughly 50% of data loss is leakage through human error. People simply make mistakes whilst trying to get their day jobs done under pressure, and events like COVID-19 enhance this. We are all now using tools that we may not be familiar with, and the training that is required to make sure your user community does not leak sensitive information when using them can be much more difficult when working remotely. There is a lot of sensitive information now being shared from unstructured data sources and via insecure channels; it may be going via email to a number of different people before being stored in the structured environment, such as a HR database, that it was meant for.
However, we know that any security control implemented in an organisation imposes operating constraints on the business, so the tools need to work as a whole in the exact way you need – not the way that someone thinks you should work to be worth the investment. For example, badly deployed DLP, or overly aggressive post-delivery controls, can make the organisation lose faith in the solution and make you roll back even the sensible controls you have in place.
GDPR mandates Security by Design
The GDPR legislation in particular talks about ‘Security by Design’. Organisations need to think about and understand their business processes in order to develop a solution that meets their needs. Often, once they have done this, they realise that the multiple automated security tools they have in place do not fully meet their requirements or cannot be modified as their needs change.
By incorporating a data classification strategy, businesses are able to understand the sensitivity of their information and can treat it accordingly. According to Gartner, “Data classification policies provide an important foundation to help organisations address the handling of sensitive data. The policies should be easy to follow and flexible so that data is appropriately protected, and business is not adversely impacted.”
For example, lots of files look the same and have similar information; it is very difficult for an automated tool to tell the difference between a regional sales report, a team sales report, and a global sales report. That automated tool is going to give the reports the same label, despite the potential security implications if each one is classified in the same way. The only person able to do that effectively is the original creator of each document.
Data Governance throughout your supply chain
Another area that every organisation needs to focus on more effectively, and one of the reasons why the “one-size-fits-all” automated tools really start to drop into the background, is third party risk. When sharing data throughout their supply chain, the off-the-shelf solution is not going to be suited to the environments that these companies are operating in. The problem with that is that without having some clear definition of what your data is, it can be impossible to manage it outside of your organisation.
Metadata is the usual method for storing the classification with your information, but for protection of your information, the classification must be cryptographically bound to your information (this prevents your sensitive document becoming insensitive). Also, to further simplify information sharing, the metadata cannot be bespoke to your organisation; otherwise sharing information is made more difficult with unreadable classification metadata.
Data classification is critical for business success
With the information classified and protected using a common format, the organisation can now begin to apply access control policies to control the flow of information throughout the entire network. Who needs access to the information, the location of the user, the type of device they are using are all factors that may affect whether a user has access to the sensitive project documents.
When it comes to data protection and security within your organisation, the solution you choose is going to have multiple touchpoints with business processes and productivity tools. Therefore, when looking at building your security ecosystem, you are going to want a wide range of complementary security and data management solutions to avoid having a serious mess to resolve at some point. And remember, “Sometimes buying the cheapest thing is the most expensive route”.
