In the course of doing business, intellectual property and high-value information changes hands like a hot potato – within the organization as well as with vendors, partners and customers. Unless appropriate guidelines and protocols are put in place identifying who should or can have access to this confidential information, organizations of any size run the risk of losing mission-critical information either by malicious intent or accident. Safeguarding corporate data is vital to an organization and requires the tools, expertise and governance practices for protection—organizations must be vigilant.
High value information—including trade secrets, product designs, merger and acquisition activity, financial data, confidential business information and the like—is often the prize for external malicious actors, but careless internal employees may unknowingly make the break-in much easier. The recent Ponemon study, “Risky Business: How Company Insiders Put High-Value Information at Risk,” found that 73 percent of the almost 700 IT security practitioners polled said their organization lost confidential information in the last year. Even more alarming, 59 percent admitted not being confident in their ability to prevent data leakage by an employee.
Most companies set their focus on protecting against the big bad wolf (the attacker) and forget that the sheep (model employees) are the highest security risk. Sales departments, C-level executives, finance and human resources pose the biggest risk to an organization, pointing to an even greater concern of non-malicious insider threats compromising sensitive data that external hackers and cyber criminals can exploit.
These statistics should serve as a wake-up call to all organizations—just how secure is your data? How much do you know about what your employees are accessing and from where they are accessing it?
Proactively taking these four steps to protect against threats will go a long way in protecting your high-value information:
- Embrace encryption technology. Encryption technology is a must have for organizations concerned with protecting sensitive data from internal and external threats. Documents and files that include sensitive data should always be encrypted, especially when they can be shared through file-sharing services when they are not stored. Failing to encrypt opens data to vulnerabilities, and the ripple effect can be catastrophic to the organization.
- Control employee access to data and permissions. It is the responsibility of an organization to protect and value their customers’ confidential information and not allow just anyone to access it. Protocols must be put in place outlining who can access the information and what they are allowed to do with it. Employees should also be educated on their access levels and associated security policies. Regular training helps to support this need. Employees are truly the organization’s first line of defense; time should be dedicated to training them on risk mitigation.
- Use a data-centric approach. Safeguarding an organization’s systems is not enough; the data within the system must be protected individually as well. Typical security software can protect the information within the organization’s network, but what if it is extracted? This is a concern any time data is accessed, since there is always the possibility that the information will fall into the hands of an unauthorized user. Even outside the company’s four walls, data must always be encrypted.
- Implement a data security framework. A data security framework can identify where sensitive information is being stored, control permissions for who can access it and monitor the usage of those authorized users. The Ponemon study found that 70 percent of respondents could not locate confidential information in their environment—a disconcerting statistic and something that can be prevented with a data security framework.
Organizations must be vigilant in protecting any and all data that impacts the business, whether personal information or high-value work product.