Is modern collaboration exposing your business to data loss?
Cloud collaboration solutions came into their own during the pandemic, enabling people to work remotely during lockdown when they could no longer go into an office. For many organizations it led to a permanent change in the way they work and a new dependency on cloud services. Benefits have been easy for them to grasp; some of the risks, however, are less understood.
The hard fact is that modern ways of working have significantly increased risk exposure. The good news though is that the dangers of data loss that come with remote working, can be mitigated. We see it as a way to augment out-of-the-box security that comes with Software-as-a-Service solutions like Microsoft 365, depending on your risk profile.
While vendor protection in the cloud is very strong, it’s important for businesses to remember that their data is ultimately their own responsibility, and faced with increasingly sophisticated cyberattacks, it makes sense to harden their data security with additional layers of protection.
Assessing the risk
A good starting point is to evaluate your risk profile and identify the most valuable assets inside your organization. It could be your pricing information, personally identifiable information about customers, payment card information or social security numbers. It might be trade secrets about the business – intellectual property, manufacturing processes or activity around mergers and acquisitions.
The hard reality is that it’s much easier for users to share potentially sensitive information in the cloud than in the old on-premise environment, where you had to put in a request to access files and folders and permissions were rigorously managed. Now you can simply click ‘share’ in any cloud-based collaboration application and a document is delivered to someone who may or may not be on an approved list. An entire folder can be shared, which not only grants access to the documents it contains but also to new ones generated in the future.
For IT heads and security managers it’s a conundrum. The business wants to give employees collaboration tools that makes them productive, regardless of location, but it has to be balanced with security measures that are robust without being excessively restrictive to working practices.
Managing the risk
Built-in permission protocols that come with cloud software inevitably leave gaps that businesses would be wise to fill. With Varonis, Ergo looks to do it in a way that is discrete but effective, and starts by answering some fundamental questions: Where is your data? Who has access to it? And what type of data is it?
We have a data discovery process that is precise in answering these questions, because you can’t reduce risk if you don’t understand how your data is exposed. We will classify sensitive and regulated data that is shared and stored across data stores and cloud apps; we provide dynamic dashboards and reports to give real-time insights into the risk posture and any problems with regulatory compliance.
There is no doubt that some sectors, such as finance, pharmaceutical, government and legal, have more crown jewels to protect than other businesses, but the fundamentals of good data security apply to everyone and start with being proactive. That means archiving old data, moving it somewhere safe, where integrity and confidentially are maintained while making sure it’s less exposed. You only want to make access easy to data that is in use and relevant.
Detecting unusual behavior
The average employee can access 17 million files on day one, according to Varonis, which presents control challenges that are compounded by employees leaving, joining or changing roles. Coupled with this is an explosion in data growth that has led to an ever-expanding attack surface and lack of clarity on who has access to what.
Rules can be put in place to eliminate data exposure from shared links and to cut back on excessive permissions. We also have analysis tools, powered by AI, that learn behavior baselines and detect anomalous behavior – someone downloading a certain classification of data for the first time or a PPS number going out in an email. Automatic alerts can be set up to bring such actions to the attention of the security team and kickstart remedial action.
What it all comes down to is making intelligent decisions about who needs access to data and who doesn’t, and using tools to ensure the rules are adhered to in a way that doesn’t detract from teams collaborating and the productivity of the organization.