Poof! Just like that the very perimeter organizations built around infrastructure, network, and endpoints to keep organizations safe is gone. Yes, we all have been saying the perimeter is gone for what feels like years now. But now, it’s really gone. This time for real, and I would argue for good.
Our world has been turned upside down. The COVID-19 outbreak is first and foremost a health crisis that demands swift action in order to keep our loved ones, students, employees, neighbors and communities safe. Organizations and institutions around the world shut down offices and classrooms, fundamentally flipping the everyday face-to-face routines we all have to the work-from-home digital realm.
What started as a health crisis is shifting dramatically to a global economic crisis. Businesses are being forced to make very hard decisions about their people, processes and spend for the sheer purpose of continuity. What we are experiencing is a wave of crisis centered on near-term survival. What we are missing is a wave that will have much longer-term impact. And it centers on the very thing the aforementioned perimeter was designed for — data security.
In a world where every employee and student is suddenly working from home, the very policies and processes organizations and institutions have put into place to secure data are rendered obsolete. We have a security crisis on our hands. It demands we, as a security industry, rethink, reimagine and rebuild what data security means in what we contend is not the new normal, but the next-normal. The information technology industry prepared us for the next-normal. Heck, they enabled it with technology like Slack, Zoom, Google Suite and Microsoft Office 365. Like it or not, the next-normal is already here and it’s in the cloud. It’s focused on collaboration, speed and simplicity. What’s not focused on collaboration, speed and simplicity? Data Security. It’s time information security catches up and catches up quick.
Data security for the next-normal
To help boards of directors and business leaders think through the data security implications of the next-normal, we put together a series of questions that cover three key areas of data risk: remote employees, departing employees and high-risk employees. Managing data risk is not only an information security issue falling squarely in the hands of the CISO. In the next-normal, managing data risk is an organization-wide responsibility, so these questions also apply to the CEO, CIO, CHRO, general counsel and line of business leaders.
We are living through the largest shift in work culture in our lifetime. The spread of the virus has forced many people to work from home. A decision that, while necessary, has put a strain on your IT and security teams. Suddenly, they are on the hook to manage data risk beyond the perimeter and do it at scale. Doing so requires some real gut-check questions:
- Do you have visibility into all employees’ off-network file activity?
- Do you know what trusted and untrusted collaboration tools employees are using?
- Do you know what data employees are moving, when they move it and where?
With the global economy headed for a downturn, many businesses are planning actions that impact their human capital — whether it’s furloughing employees, eliminating contractors or reducing their workforce. Employees are on edge. And when they’re on edge, they make decisions with data they may not normally make.
- When someone leaves your company, what do you do to ensure they aren’t taking confidential information with them?
- If an employee who is leaving returned a wiped laptop, could you determine what confidential information that employee accessed before wiping the laptop?
- If you suspect that a key employee took confidential information to a competitor, how would you investigate? How long would that take? What would it cost? Would you have enough information to pursue litigation if required?
To ensure business continuity during a crisis, it is important to have a clear picture of employees who are considered high risk. Workers could be considered high risk because of the data they produce or have access to, and/or because of their data controls and privileges.
- If one of your key employees had his/her corporate IT credentials compromised, could you detect if the account was being used to transmit confidential information outside of the company?
- Which employees have access to your most sensitive information, including customer lists, source code, product roadmaps and more? What technology are you using to detect if they misuse that information (either intentionally or accidentally)? How would you know if an employee took sensitive data? When would you know?
- What steps would you take to prevent misuse of your trade secrets by employees?
- If one of your employees accidentally shared a file outside of your organization, how would you investigate to determine whether you had any reporting obligations to regulators or customers?
- Have you educated your employees, especially privileged employees, about how to detect and avoid falling for potential phishing or malware campaigns?
Of course, this is not an exhaustive list of questions for every possible data risk scenario, but they are a baseline for assessing your level of visibility or lack thereof. With the onset of COVID-19, we are navigating some uncharted territory. The next-normal has been thrusted upon us, and it’s rooted in cloud, collaboration, speed and simplicity. If we are to survive in the short-term and thrive long-term, we must rethink, reimagine and rebuild how we do data security. We’re here to help.