“I’m not supposed to send you this but…”
I’m sure you have received an email that reads like the words above. Some of you may have even sent something like it yourselves. A message from a colleague or friend saying that they’re not supposed to show anyone but that you should look at this file or email containing sensitive data. Suddenly you’re in possession of information that was not meant for your eyes. And just like that you’re part of a data breach. Now I know that only extremely trustworthy individuals are reading this therefore the damage from this breach is going to be minimal. It does however show how easy it is to misuse and lose control of sensitive data with modern collaboration tools. With no data protections in place, there are also absolutely no guarantees that the data will remain with its intended recipient(s).
Real world ramifications of modern data sharing
A recent real world example shows the potential damage of not properly securing shared sensitive data. The extremely high-profile investigation in the United States led by Special Counsel Robert Mueller was the target of an attempt to discredit the investigation by foreign actors. Several journalists were contacted with a cache of evidence that was allegedly from the Special Council’s office with the hope that it would be published. The files contained a mix of real documents from the Special Investigation and others that had some of their contents altered with fabricated information or were completely fake.
The assumed intention of the plan was that when the fake information was disproved the credibility of all the evidence would be called into question. If successful, this could have negatively impacted an ongoing case that has reached the level of the US Supreme Court.
How did these bad actors get their hands on the evidence? While it’s unlikely that we’ll ever know with absolute certainty, the allegation from Mueller is that the chief suspect is the defense team from the case that the evidence relates to. As part of the legal discovery process the evidence was shared with the attorneys for the defendant. Once in possession of the evidence from the prosecutor’s office there was nothing to physically stop them from doing whatever they wished with the files. Other than, of course, their legal obligation to only use the evidence for the purposes of preparing the of their client.
And that is the problem, the same one that allowed your friend or colleague to send you the file that by the “rulebook” they were not supposed to do. There is often nothing in place to enforce collaboration and sharing policies. And in today’s collaborative world where there no shortage of ways to share information this has become a big problem.
Why has data misuse become such an issue?
In truth, this issue has been around for years. However, limited sharing technology acted like a mechanism to prevent this happening to a certain extent. The problem is amplified today because it is now very easy to share information electronically via a variety of methods.
In the last few years we’ve seen the emergence of multiple cloud-based file sharing tools, team collaboration like Slack and Microsoft Teams and sharing enhancements in enterprise web-based collaboration portals like SharePoint. Even email has evolved with its ability to handle much larger attachments or to automatically create a sharing link to cloud storage so that we are no longer prevented from sending that large PowerPoint file to anyone that we please.
Can anything be done to prevent data misuse?
Thankfully the answer is yes. In the same way that sharing tools have advanced so too have the technologies that can apply controls to what can be shared and what happens to those files when the recipient receives them. Technologies that incorporate capabilities such as Data Loss Prevention (DLP) and Rights Management – the ability to apply encryption and prevent a user from e.g. editing, saving or printing a file – when used properly can almost eliminate the issues that I highlighted earlier.
For example, the attorneys could have received access to the evidence files in a read only format with a timestamped watermark with the name of the user accessing them incorporated into mark. And your colleague would have been prevented from illicitly sharing the “must see” file with you. Using technologies like these allow you to take a data centric approach to securing your sensitive data instead of the outdated location-based approach of only securing initial access to the data repository.
Applying the appropriate data protections
The key to successful use of data-centric security tools is ensuring you use them in a way that keeps the right balance between what users want from a collaboration perspective and what the organization demands from a security and protection perspective. Go too far in either direction and you can make your situation worse – too lax and your data can be shared far too freely; too stringent and your users find an alternative way to share and collaborate. In either situation you lose visibility and control of your sensitive data.
The top three excuses I hear from organizations range from I encrypt everything in the repository – isn’t that enough, I have no idea where our sensitive data is, or our permissions are a mess. In this current climate of non-stop data breaches and new sensitive data regulations cropping up on a regular basis to address increasing risks, none of these will stand up as an excuse in court. Either legal or of public opinion.
When I am talking with customers and partners about how to get this balance correct, I often refer to assessing the risk profile associated with the multiple use cases and then consider what are the appropriate steps and technologies to use.
What do I mean by risk profile by use case? Let’s look at a few scenarios:
- Office access: Consider a user with legitimate access rights opening a medium-sensitivity file from their work PC when they are in their office location. Since they have been granted legitimate access and they are safely within your IT perimeter the risk profile in this situation is relatively low. In this case it could be determined that the user can have full edit rights to the file in order to complete their work task.
- Mobile access: Now take that same user accessing the file from their personal device from a public location. In this scenario the risk profile has increased, therefore perhaps we want to restrict the user to having read only access to the sensitive data. The user can still access the file and continue to work but the file has now been appropriately protected in the changing circumstances. Or perhaps the document is so sensitive you don’t want to provide remote access to it at all.
And that’s the key to being successful with applying the right level of protection. It’s about recognizing how your users work and collaborate, the level of sensitivity of the data with files and creating policies based on those factors. Then you must apply the technology to match those scenario and data-centric protection needs.
Warning – think beyond standard sensitive data types
Usually when we think about sensitive data, we often go straight to data types that are subject to various regulatory controls. Healthcare, financial or personally identifiable information (PII) are often what we look to protect first – and with good reason. However, we should think about all the different information that we have within our organization and the impact of it landing in the wrong hands.
The Mueller example is a clear demonstration that there are many cases when it would have been better if additional controls could have been placed on the content itself. It’s therefore important that you consider all the written rules and policies for the information within your organization. When you do this its even more important to make sure that your technology choice for protecting what you have deemed sensitive data is flexible enough to meet all the user scenarios for collaboration and use of that data.
The problem is very real but solvable
I’ve personally lost count of the number of times that I’ve seen a presentation or document labelled “internal use only” – but for an organization that isn’t my employer. In fact, I’m probably already approaching double figures for this year alone. We shouldn’t fall into the trap of thinking that it’s just a few documents and the file is being shared for the right reasons. Accidental data leaks are on the rise and a recent report into breaches in the healthcare industry found that 28% of leaks were due to insider elements and the vast majority were accidental as opposed to an insider acting maliciously.
If files are meant to be internal, keep them that way by applying technology to enforce that requirement. Accept and address the fact that users and sensitive data are now mobile, and the associated risk profile is almost constantly changing. In the age of modern collaboration its vital to use data security technologies such as DLP and rights management in a way that is flexible enough to dynamically adjust to changing risk profiles to keep sensitive data safe but allows users to get their work done.
Want to learn more? Read our 5 tips for balancing security and collaboration needs.