One innocent mistake, one disgruntled employee, one fired IT administrator who wants revenge, and the losses start piling up – credit card records, intellectual property, your company’s reputation, hundreds of thousands of dollars in fines, breach of trust and privacy lawsuits. The pain goes on and on. I want to propose several ways to beef up your internal security.
Data Access Governance
Verizon’s latest Data Breach Report found more than 11,698 total incidents with regard to insider and privilege misuse. No matter how secure your network is, it takes only one person, one simple error or one bad intention to create a pathway for a criminal.
Let me illustrate with an example. Sue, the product design assistant, has a lot of personal debt she cannot pay. The creditors keep calling. One evening she gets a phone call from someone who wants a single blueprint from her company – and they are willing to pay her $150,000, completely wiping out her debts and leaving her with cash to spare. What’s a single blueprint at such a large company?
One recommendation Verizon makes is to watch for actions that facilitate data transfer out of the organization. Sue’s company has that. The network at Sue’s company contains a strong data access governance system. Sue is allowed to access design information but within specific parameters: between 8am and 8pm Monday to Friday and only from her local desktop. She’s not allowed to download anything because her role in the department isn’t senior enough to be able to work from home. The second she does download something, IT and her boss immediately receive an alert, allowing them to investigate what’s going on.
Almost every company has people who are vulnerable, be it to strong persuasion or those easily taken in by good social engineering and poisoned links. Strong data access governance that can trace the who, what, when, where, and how of each access event is a good start.
But what about intellectual property? The volume of organizational data has spiraled out of control. Sensitive information is stored everywhere. You name it, it’s in there. Most of it hasn’t been classified; nor is it monitored. And someone may be stealing your IP right now.
"No one knows your business better than the people who are the heart of it – your managers and employees"
Crowd-Sourcing to Protect Your Data Sprawl
Top of Verizon’s list of recommended controls is ‘make your people your first line of defense.’ The collective intelligence of the crowd strengthens security. No one knows the data better than the creators and users. Crowd-sourcing for data security is the answer to this challenge.
Crowd-sourcing to get the job done isn’t new. It’s been going on in different forms for centuries. Mathematician Francis Galton discovered that the mean of 800 participants’ guesses about an ox’s weight was closer than any individual guess or the median (1207lb, within 0.8%). The crowd average was 1197lb; actual was 1198lb. The concept of crowd-sourced data security is based on the same principle: the collective intelligence of the crowd strengthens security by accelerating the elimination of risk at increased accuracy. Data is constantly added, never removed. It is everywhere and exploding.
In most places right now, the job of managing, and protecting the organizational data falls upon the understaffed and overworked IT team. Their budgets and manpower are limited. A single security team, no matter its size, cannot manage all the data stores within an organization. The larger the organization, the less likely the security officer will be able to find the business owners within the ever-increasing petabytes of information.
No one knows your business better than the people who are the heart of it – your managers and employees. Even employees with similar job descriptions have different responsibilities. Most importantly, each person has a unique perspective, a unique role to play in protecting your information.
Crowd-sourced data protection leverages those perspectives. The people who create the data know exactly the information it contains, how it relates to the other information within the company, who should be accessing it – and who shouldn’t. Give them an active role in securing it.
Crowd sourcing gets everyone in the organization involved in data governance, compliance, and security. It gives data’s users much-needed authority in managing their data; they decide who should be accessing it, how, and when. With crowd-sourcing, everyone actively becomes part of the security process, reinforcing employees’ collective responsibility for security.
The sum of the parts is greater than the whole. Protecting the whole organization is easier by leveraging everyone’s participation.
About the Author
Roy Peretz is responsible for Whitebox Security's overall product strategy, bringing over 12 years of experience to this role. He gained significant experience serving in various information security roles within the Israel Defense Forces. He holds a bachelor’s degree in computer science from Israel’s College of Management.