Poof! Just like that the very security perimeter organizations built around infrastructure, network and endpoints to keep corporate data safe is gone. Yes, we all have been saying the perimeter is gone for what feels like years now. But now, it’s really gone, and we would argue for good. COVID-19 has turned our world upside down. What started as a health crisis became an economic crisis followed by a security crisis The very thing the conventional perimeter was designed for—data security—is gone. Welcome to the next-normal. Data security for the next-normal will be defined by three brutal truths.
Three brutal truths about conventional data security
The reality: We have a security crisis on our hands. The old-school ways that we follow to protect data from loss, leak, theft, sabotage no longer fit the new way we work. Our challenge as an industry is to rethink, reimagine and rebuild what data security means in what we contend is not the new normal, but the next-normal.
1. It’s impossible to identify, classify and create policies for all of your sensitive data
Almost all conventional data security tools are based on three core tenets for them to be effective, First, identify where all your sensitive data is. Second, classify your data. And finally, set policies, rules or other admin-defined parameters to block it from leaving the organization. These tenets have become the foundation for the category everyone loves to hate—data loss prevention. Here is the irony. As a security leader, the efficacy of any conventional data security you purchase rests not on the efficacy of the security vendor you selected, but entirely on the foresight of your security team. The reality is that security teams can’t possibly know where all sensitive data lives. No one can. So, tenet one of conventional data security sets you up for not only a false sense of security, but failure.
2. It’s incredible to think you will get away with blocking user productivity and collaboration
Hypothetically, for fun, let’s say you could account for every sensitive file in your organization, you can’t just lock down all these files. A lot of this information is living among collaborative users and cross-functional teams, partners, consultants, even customers. This brings us to fatal flaw two: blocking. You realize this quickly as waves of employees storm the security department with pitchforks and torches exclaiming, “You’re preventing me from getting my work done!” So you end up writing all sorts of exceptions to your security policies, or more commonly, turning off blocking altogether—aka run in “monitor mode.” In the process, you’ve taken the very teeth out of the policy-based, prevention-centric security tools you’ve invested in to protect your organization.
3. It’s unfathomable to believe prevention strategies erase all sensitive data vulnerabilities
The third brutal truth of conventional security tools like DLP: You don’t know when you’ve been beaten. If a file event happens off the corporate network, or the employee action falls outside the defined rules or policies, you won’t see it. According to the Code42 Data Exposure Report 2020, 37% of employees use unsanctioned tools on a weekly basis to get their work done. In practice, that means users are already finding ways around classification and policy-based prevention methods; and you have no idea, which leaves your corporate data vulnerable.
Data vulnerability has never been more rampant than it is today. While conventional data security is intended to stop data threats and mitigate risks, they do nothing to shine a light on your data vulnerabilities. Ironically, the identify, classify and policy-based approach in essence creates data vulnerabilities by providing a false sense of data security. Let’s face it, conventional solutions like DLP no longer meet the needs of today’s workforce, which is more mobile, self-sufficient, productive and collaborative than ever before. Given the current market conditions, the harsh reality is data vulnerabilities are not going to subside anytime soon. Work from home is here to stay; employees will always use the tools they want to get their jobs done; and like it or not, the corporate workforce is in a constant state of change.
Three considerations for security leaders and practitioners for the next-normal
Take these three steps into consideration as you rethink, reimagine and rebuild your data security strategy in a post-COVID-19 era.
1. Seize your seat at the culture table
Enterprises will be changing up their culture the next few years. Baby boomers are retiring. GenXers are climbing the ranks. GenY & GenZ make up 59% of the global workforce. The cultures of the past are not made for such a diverse, digital, mobile and collaborative workforce. No wonder CEO’s say talent management is the #1 business enabler. Like it or not, the next-gen workforce is defining the corporate culture and with it, new attitudes about data.
- Data entitlement: 72% of employees believe their work is their property
- Data portability: 8 of the top 10 data exfiltration vectors are cloud-based
- Data invisibility: 37% of employees use unsanctioned tools weekly to do their job
- Data exploitation: 60% of employees admit to taking data with them from job to job
These attitudes about data are driving the insider risks and vulnerabilities manifesting inside the organization. According to the Code42 Data Exposure Report 2019, 89% of information security leaders believe the fast-paced cultural model of their business puts their company at greater risk of data security threats. Moreover, 77% say that the most significant risk to an organization is employees doing their jobs however they want, with no regard to data security protocols or rules. Given the attitudes of the next-gen workforce around data—entitlement, portability, invisibility, exploitation—shouldn’t the CISO be at the center of the culture change? Shouldn’t the CISO be sitting at the table with the CEO, CIO, CHRO and line of business leaders talking about culture change and the data security implications, possibilities and solutions? We think so.
It’s time security leaders and practitioners be viewed as business enablers and not blockers. It’s time for CISOs to claim their seat at the culture table. It’s time the CISO is a partner in driving the very data-driven, performance-based and collaborative culture businesses need to succeed. If 80% of enterprises will transform their culture by 2021, then it’s the CISO’s job to secure that culture.
2. Know your data vulnerabilities
The decision to send employees to work from home is driving the largest shift in work culture in our lifetime. A decision that, while necessary, has put a strain on IT and security teams. Suddenly, they are on the hook to manage data risk beyond the perimeter and do it at scale. Remember, 37% of employees use unsanctioned tools on a weekly basis to get their work done. With COVID-19, that number just doubled and with it a massive data vulnerability problem. In the next-normal, managing data risk is an organization-wide responsibility. If security is to seize their seat at the culture table, then they better have the evidence for how culture change creates more data vulnerability, threats and risk, Because in the next-normal, managing data vulnerabilities, threats and risks will be an organization-wide responsibility. Doing so requires some real gut-check questions:
- Do you have visibility into all employees’ off-network file activity?
- Do you know what trusted and untrusted collaboration tools employees are using?
- Do you know what data employees are moving, when they move it and where?
In the 2019 Code42 Data Exposure Report, IT and security leaders were asked if their company experienced a data breach in the last 18 months. What was the cause of the data breach? Half of information security leaders said employee actions, and 45% said third- party actions (contractors, partners, vendors). Incidentally, only 28% cited external actors (e.g. cyber criminals via malware). If half of the data breaches were caused by employees pre-COVID-19, and now post-COVID-19, nearly all employees are working from home, wouldn’t you want to know your data vulnerabilities? We think so.
3. Embed security throughout the employee lifecycle
With the global economy headed for a downturn, many businesses are planning actions that impact their human capital—whether it’s furloughing employees, eliminating contractors or reducing their workforce. Employees are on edge. And when they’re on edge, they make decisions with data they may not normally make. Here are some questions to ask as you assess your security posture:
- When someone leaves your company, what do you do to ensure they aren’t taking confidential information with them?
- If an employee who is leaving returned a wiped laptop, could you determine what confidential information that employee accessed before wiping the laptop?
- If you suspect that a key employee took confidential information to a competitor, how would you investigate? How long would that take? What would it cost? Would you have enough information to pursue litigation if required?
To ensure business continuity during a crisis, it is important to have a clear picture of employees who are considered high risk. Workers could be considered high risk because of the data they produce or have access to, and/or because of their data controls and privileges.
- If one of your key employees had his/her corporate IT credentials compromised, could you detect if the account was being used to transmit confidential information outside of the company?
- Which employees have access to your most sensitive information, including customer lists, source code, product roadmaps and more? What technology are you using to detect if they misuse that information (either intentionally or accidentally)? How would you know if an employee took sensitive data? When would you know?
- What steps would you take to prevent misuse of your trade secrets by employees?
- If one of your employees accidentally shared a file outside of your organization, how would you investigate to determine whether you had any reporting obligations to regulators or customers?
- Have you educated your employees, especially privileged employees, about how to detect and avoid falling for potential phishing or malware campaigns?
The next-normal: Entering uncharted territory
Of course, this is not an exhaustive list of considerations for every possible data risk scenario, but they are a baseline for assessing your level of data vulnerability and risk for the next-normal. With the onset of COVID-19, we are navigating some uncharted territory. The next-normal has been thrusted upon us, and it’s rooted in cloud, collaboration, speed and simplicity. If we are to survive in the short-term and thrive long-term, we must rethink, reimagine and rebuild how we all do data security.