While talking to a CISO recently, I asked him what kept him up nights. A data breach, he said. He sees data leakage happening among organizations of all sizes and heading it off feels like an impossible challenge.
Breaches can occur in many ways. We’ve all heard about the big hacks that expose thousands or millions of records with sensitive personally identifiable information (PII), valuable trade secrets, private communications or other valuable intellectual property.
Unfortunately for my CISO friend and his peers, cyberattacks from hackers aren’t the only nightmares when it comes to the risk of data leakage. Insider leaks through malice, negligence, carelessness or simple ignorance are as much a threat to data protection and privacy.
Recently, the Ponemon Institute’s 2020 Cost of Insider Threats Global Report found that 62% of insider threats were just carelessness by employees, not malicious attacks. The report also found the number of insider threats has climbed by 47% in the last two years and the cost of those incidents has gone up by 31%, from $8.76 million to $11.45 million.
And those statistics were compiled before COVID-19. With the shift to remote work caused by the pandemic, the potential for insider leaks is rising. As noted by Deloitte: “The pandemic may increase the risk negligent or malicious insiders may pose to critical assets and data. Given this ‘new normal,’ there is value in proactively refining current approaches to better protect critical assets given emerging threats.”
How can CISOs refine current approaches and address these multiple challenges in ways that are effective as the future is increasingly shaped by cloud computing, remote work and widely distributed digital supply chains?
One of the most important technologies in addressing both external attacks as well as insider threats is data loss prevention (DLP). DLP technology has been around for more than a decade, but it has typically been an on-premises solution affordable to only the largest enterprises. Over the past few years, DLP has been embedded in specific applications, such as email, but a comprehensive, cloud-based approach has not been available.
That has changed, however, and enterprises of all sizes can now leverage cloud-delivered DLP that can be integrated across all control points across the organization. This modern approach to DLP is critical today. Because more organizations are using cloud-based applications—for videoconferencing, file sharing, email, you name it—sensitive data is now stored everywhere. Because of that, your information is at risk.
But just as the cloud is causing disruption, it can also come to the rescue. For organizations that are committed to protecting their data, a cloud-delivered DLP approach is key.
Existing DLP Is Challenging
Existing DLP systems are typically complex, expensive and inaccurate. Effective DLP is only accessible to very large enterprises that are willing to spend millions of dollars on deployment, operation and management.
Most legacy approaches are difficult because they’re not one-click installs right out of the box. They require integrating many third-party tools, such as agents, proxies and PAC files. Legacy approaches are also plagued by false positives that will flag everyday data as sensitive erroneously and force an administrator to manually look through all the alerts to determine which one is a correct alert.
With cybersecurity professionals already hard to find, having talented people work on the repetitive task of managing infrastructure is a waste of resources. CISOs would rather have those people focus on cyberattacks and more sophisticated threats out there.
Adopting an on-premise DLP approach means spending to purchase a license, which is a big-ticket item. The hardware is another large purchase— databases, servers and proxies—and of course, the maintenance of that system often requires a large team.
Embrace the Cloud Future
The average U.S. enterprise now uses over 1000 services on the cloud, everything from collaboration apps to HR tools. Many of these apps are Software as a Service (SaaS), where all the action takes place in the cloud and the security of those files is outside the company’s firewall, in the hands of the cloud service provider. The amount of data floating on the cloud that needs to be secured is vast and growing.
With a cloud-based DLP, you don’t need to manage all that complexity. You don’t need to deploy that hardware. You don’t need to have lots of people spending their time doing repetitive tasks.
A cloud DLP approach puts machine learning and automation within the reach of all organizations. It levels the playing field so that a medium-sized organization can have the same level of protection as a very large organization.
It also ensures up-to-date compliance. Data regulations are not only increasing in scope constantly, but new ones appear regularly, and keeping up with them is a burden. A cloud approach can track all the regulations in a centralized way and add automatically all the patterns and types of information that the organization needs. It can even provide compliance templates.
A cloud data loss prevention approach offers a better way when it comes to data security. Of course, you should still establish a baseline for data loss prevention, if you haven’t already. I recommend the following best practices:
- Visibility: Know what data your organization has and where it is stored. Is it on the public cloud, on devices, on your organization’s private cloud? Is it everywhere?
- Notification: Alert users when they’re about to put information at risk. Let them know if they’re trying to upload something that is sensitive in a place that has public access. For example, alert a staffer who has 20 files with credit card numbers stored in their Gmail account. Telling people how they’re handling sensitive information is a key step to improving security.
- Education: Make an effort to offer learnings on stronger security. Maybe the company has a corporate encrypted file where sensitive information can be shared securely, but employees don’t know about it. Some companies have seen a reduction of 50% or more in the risk of data loss just by educating people about security practices.
- Protection: Eventually, in some cases, the system will have to actively prevent a transfer of information. The guardrails will have to stop the user and warn “You can’t upload this document to the cloud because it’s too sensitive.” The system may even go an extra step and move the file to a secure location, encrypt it and forward the user a protected link to access it securely.
Information is everywhere in an organization. Putting a firewall around your system is not enough when your own people can leak out sensitive information without meaning to, by sharing the wrong file, or attaching it to the wrong email. To protect data on any application and any infrastructure, CISOs have to protect every link in the chain. Cloud-based work makes this more difficult, but a cloud-based DLP approach will let you sleep better at night.
Mario Espinoza is Vice President of Data Protection at Palo Alto Networks.