We’ve all made mistakes when it comes to security. Whether that’s accidentally hitting “Reply All,” mistakenly sending a report to Sam in sales instead of Sam in finance, absentmindedly clicking on a questionable link, or forwarding an email that contained sensitive information farther down the thread.
A productive, successful, collaborative workplace requires employees to share information quickly and efficiently. However, that information is often sensitive in nature and increasingly costly should a breach occur - the average data breach costs have risen to US $4.35 million in 2022.
Therefore, for tech leaders, this means implementing a multi-layered approach to security, allowing companies to embrace and prioritise data protection, while, at the same time, ensuring employees are empowered to share data confidently and securely.
This is a delicate balance to achieve. These are the steps you can take to mitigate the risks involved:
Focus on Zero Trust
Security ecosystems used to be simpler and confined to a clear network perimeter. That’s no longer the case as multi-cloud environments expand, user endpoints multiply, accelerated by the introduction of the ‘extended enterprise’ and the major shift to remote working. As a result, threat actors have a larger attack surface and number of access points to go after, fuelling the need to shift to a Zero-Trust approach.
By implementing Zero Trust framework that pairs data protection with strong, federated identity management, you can ensure every user and every system is treated with equal caution when it comes to accessing and sharing data.
Adopt security that travels with the data
The average enterprise has over 500 applications that data is either stored in, shared from, or travels through - email, file sharing platforms, SaaS applications and cloud environments. Every application amplifies the risk of a data breach without the right protection in place - but what happens when that data leaves your network?
If you implement a data-centric security strategy this will protect data with object-level encryption. It will essentially wrap each file or message with its own distinct layer of protection, making data sharing far more manageable.
Another benefit of data-centric security is that it protects the data itself, everywhere it travels, leaving you with greater flexibility for the future. This is instrumental in setting yourself up for success in a security landscape that evolves so rapidly. By protecting the data — everywhere it travels—you have the flexibility to adopt new tools and vendors, equipping your employees with the collaboration and data sharing tools they want to use. With data-centric methodologies, you can be confident that your strategy is sustainable for the future. With this mindset, you’ll choose vendors and partners that align with your approach and can provide you with full control over your own data, everywhere it goes.
Streamline the user-experience
Generally, employees need to make a trade-off between convenience and security. Authenticating their identity for multi factor authentication adds a step to the log-in process. Encrypting an email adds an additional step to sending. Slowing down and taking a moment to examine a suspicious email takes some conscious effort.
The key to getting employees to adopt your security recommendations and tools is to make them truly simple, seamless, and easy to use.
Look for solutions that are integrated natively within both Gmail and Microsoft Outlook, so that users can easily encrypt emails and set access controls with the flip of a switch. In addition, look for solutions that allow the recipients to easily verify their identity so they can access emails without the need for creating separate credentials.
The end-user experience is critical to consider. Your executive team, customer success teams, and sales teams place high value on making a good impression, and they want to put their best foot forward. If they know your encryption tools are going to be clunky or create hurdles for their customers, they probably won’t use them.
But if you adopt a solution that empowers your employees with ease of use and security, it’s a win-win.
Allow for human error
Human error is inevitable which means a ‘safety net’ is needed for when employees don’t make the right decisions.
Look for solutions that allow you to choose how to put certain DLP rules in motion: Equip your organisation to automatically encrypt certain types of data or warn users when potentially sensitive information is detected in an email. For example, an organisation could choose to always encrypt emails containing a bank account number, but in cases of an address or phone number being shared, they could issue a warning to the sender and allow them to make the final decision. That reminder can be a useful nudge to get employees to think about securing their data, so many administrators use it as an educational opportunity.
Setting the parameters
Data sensitivity is nuanced, and each situation may call for its own parameters for sharing data. Put the control into the hands of the end user, give them options for setting parameters around how their data can be used. Select solutions that provide the ability to revoke access to files or messages at any time. If a third-party vendor experiences a breach, or a certain file was inadvertently shared, or the user mistakenly hit “Reply All,” access can be immediately revoked, even if that file has already been viewed by the recipient.
This gives the employee an opportunity to correct their own mistakes. Rather than hoping their data doesn’t end up in the wrong hands, they can take control immediately, at any time.
Now that’s empowerment.
Sébastien Roques-Shaw, Director of Partnerships, Virtru