Losing data is costly. According to the Ponemon Institute, the average data breach costs US organizations an estimated $200 per record, or $5.4 million total per breach. And apparently these breaches are equally likely to be from criminal attack as from employee or contractor negligence.1
It makes sense then that surveys point to data loss via unsecured file sync and share solutions as one of IT’s biggest concerns. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off both external and internal threats when employees are seeking ways to collaborate more and more?
At Dropbox, protecting information and encouraging safe collaboration is at the center of what we do, and we’d like to share some important best practices for secure file sharing that doesn’t jeopardize productivity. It boils down to understanding your different types of data, evaluating your varying risk levels, and thinking about what works for your environment.
Why is secure collaboration such a challenge?
Here’s the rub. In this day and age, more and more data is being created and shared by the second. And with employees bringing their own tools to work, companies are struggling to maintain a comprehensive view of how workers are interacting with and exchanging that information.
It turns out that with email, FTP, USB sticks, or services like Dropbox, it’s very easy to share. But it’s really tough to share with 100% security. Why? Because if your information-sharing tools aren’t easy to use, employees won’t adopt them. And as employees become more sophisticated and tech-savvy, they’re finding creative ways to get around corporate policy, ignoring the security risks and regulatory implications of their behavior. Employees want to “get the job done” and often don’t realize how these workarounds can put the company at risk when confidential, business-critical data is involved.
Not all is lost though. By following a few simple steps, you can help better protect your data and get employees invested in keeping information safe.
Step #1: Define your data
Draw a distinction between secret, confidential, and public information.
Secret information needs to be locked down. There can’t be any risk of it being shared broadly within the organization, let alone outside your company.
Confidential is usually pretty straightforward, too. At a minimum, every organization should protect personal identity information, like customer names, addresses, social security numbers, and credit card numbers. You also need to protect financial information and intellectual property like next quarter’s sales pipeline, pre-product launch research data, or the source code for a product.
Public information is material that would create limited damage if leaked, even when taken out of context. Documents like company values statements and marketing materials that are meant to be public or could not materially impact the company may not deserve fretting over too much.
Step #2: Map your risks by data type
After you’ve defined your data, look at how your secret and confidential information is being safeguarded and shared. You want and need your team to be open and share information, so protecting it begins with understanding how people interact with it every day.
You might find that your biggest concerns don’t necessarily overlap the areas of greatest exposure. For instance, you might be worried that device theft is leaving you most exposed, when it turns out your biggest vulnerability is employees sending large files via personal email because of your corporate firewall. You won’t find vulnerabilities everywhere, but you will find specific ways in which people are putting information at risk. Once you do, you can set your defenses to match the scope of the vulnerability.
Rank the vulnerabilities you find. The lowest ones will likely be acceptable risks. And let’s be honest, there are times when you will have to accept risk. Do a cost-benefit analysis. You may find the productivity gain from a certain activity is worth a risk, or that you need to conserve limited resources to protect yourself from higher-ranking threats. You can’t protect everything 100%, nor do you need to.
Step #3: Reduce your risks
With a clear understanding of your vulnerabilities, you can now figure out what you both need and want to share. Some data should only be shared internally, while some needs to be shared externally. You can begin to build a protection system. A good approach doesn’t mean locking everything down. It’s about gaining the visibility needed to monitor and prevent threats. Use tools and processes that track your data’s movement so you know where it’s stored, how it’s accessed, and who is using it. And don’t get bogged down focusing on a single risk without understanding the broader landscape. Be consistent in how you protect your data.
Think about your vulnerabilities at three levels: the network, the device, and the people who interact with and move data around. At the network layer, your controls must be capable of analyzing network traffic to detect and, when possible, prevent sensitive data from being transmitted. The device layer includes authentication, full disk encryption, the ability to remote wipe, anti-malware protection, and other security controls. It should also cover end user education on best practices regarding sites to avoid, password reuse, and downloading files. At each level, it’s always a good policy to have at least two defenses in place in case one fails. Be as thorough as you can be.
The most difficult element of defense, as IT knows well, is the human factor. No matter what technical controls you put in place, human error can always put you at risk. You need to implement policies, set up training, and continuously educate and incentivize employees to handle data correctly. That begins with giving them tools they want to use so they won’t seek out workarounds.
Step #4: Educate, educate, educate
To deal with the human factor, develop a clear, practical information sharing policy addressing which data is secret, confidential, or public; how it should be used; and how employees will be held accountable for violations. Make sure everyone knows the policy and the consequences. Show them the stick.
But also give them a carrot. Everyone needs to feel like security is their responsibility. Teach employees that corporate data is essentially money: Losing or leaking corporate data is like leaving money out for people to pick up and use against you. Leaked data can be used to hurt a company’s brand, revenue, and trust in the marketplace, which in the end impacts people’s jobs, salaries, and stock options.
To get the message across, create a continuous feedback loop and communicate regularly. Provide ongoing, real-time notifications of risks, violations, and proper practices so consequences become real and employees know what to do. Let employees know who to contact to report risky behavior and any security incidents, and make sure they feel comfortable initiating that contact.
Step #5: Foster an environment of openness and trust
In the end, it’s next to impossible, especially with limited resources, to block off every potential channel employees could use to leak data. New workarounds are constantly emerging. So after all this work, these systems and policies, what’s left to do?
Embrace the culture shift. There’s no going back to the way things were. Employees can always find new tools that IT hasn’t put protections around yet. So at some point IT has to trust employees. Investing in locking everything down takes a lot of money and resources that most companies simply don’t have.
To really guarantee security and prevent data leakage, employees have to appreciate IT’s role in their work. They have to see IT as a partner that helps them get things done, that provides their team with access to new tools that help them do their job better. When they do, IT can ask for their help and actually get it. You can get good behavior and people will actually report incidents. Employees will want to protect the company, and the payoff goes beyond security. You’ll likely see a boost in productivity too.
It’s not about IT — it’s about the business
You can’t lock this issue away in IT. Preventing data leakage is a business-wide challenge. The more people who understand that challenge, from IT to executives to employees at every level, the more successful a company will be in protecting its critical assets. The ultimate goal is for everyone, at every level, to know how to treat different types of data, understand that data protection is critical, and act the right way every day. Be holistic and recognize that this cultural shift is a process, but one that will prove invaluable for your business.
Cory Louie is the Head of Trust, Safety, and Security at Dropbox. He formerly served as Head of Trust & Safety at Google. Before that, Cory was a Secret Service Special Agent, where he protected people but also specialized in network intrusions, unauthorized computer access, financial fraud, phishing, malware, and other Internet-based threats.
1 “2013 Cost of Data Breach Study: Global Analysis,” Ponemon Institute, May 2013