Oversharing and The Cybersecurity Blast Radius

This article originally appeared in Forbes.

I want you to think back to before the pandemic. Before we all worked at home, lost track of what day of the week it was and instituted mandatory happy hours on Zoom. (I don’t know if you can mandate happiness, but I do know a happy hour works to get us together once a week). Before, in-person brainstorming, whiteboarding and water-cooling was an integral part of my company’s culture. We build complex software with a lot of moving parts. Our highly skilled team has to work closely to make sure all the pieces fit.

Collaboration and Data Access Governance

I’m fascinated by how collaboration is evolving. Now, instead of grabbing a conference room for an impromptu design session, we’re on Zoom or sharing a document to get the job done. And I don’t think the tech sector is unique. Leaders of knowledge-creation teams in every industry are seeing drastic changes to culture and collaboration.

I am also watching these changes from a security professional’s perspective with trepidation. Pandemic fears and work style changes are undeniably raising the risk of data loss. Government sources and industry research back these fears up:

  • The FBI and CERT say pandemic-related cybercrime has dramatically increased. Online fraud reports have quadrupled as pandemic concerns sweep across the country. Fraudsters prey on the thirst for Covid-19 details to phish for information. Unfortunately, stressed-out at-home employees are targets, and their corporate credentials are the prize.
  • Industry research quantifies an increase in risky data sharing by end-users. Overshared document counts are up by 52%, and the number of overshared files per employee has jumped from 38 to 105 since the pandemic. This makes intuitive sense: Whiteboard sessions and face-to-face conversations have been replaced by shared documents.
  • Unemployment is at record levels. Fear, social isolation and stress ratchet up the risk from insiders, either after they lose their jobs or in anticipation of the worst. 

Of course, threats to data security were on the rise even before the pandemic. Enterprise data is surging and harder to manage than ever before. (How many cloud-based storage and productivity apps store your data now compared to five years ago?)

IDC forecasts 80% of all enterprise data will be unstructured by 2025. Unstructured data is not organized in a consistent way, as it is in a database. The files and documents created and managed by employees, for example, are typically unstructured. And data that is hard to find, hard to evaluate and hard to protect is a recipe for a big security blast radius.

Data Security Recommendations

Here are a few things your security team can do to stay safe now and after we’re all back in house:

  • Ensure each account has access to just the data the user needs.

    This is the “principle of least privilege,” and it’s a good philosophy to use on every account (not just IT admin accounts) to minimize the blast radius, should account credentials be stolen.

  • Develop the capability to spot overshared documents.

(either inside or outside of your company). Because sharing is incredibly easy for end-users, it’s vital to quickly identify and remediate violations. Oversharing happens whenever data access settings are too permissive, files are stored in “open” locations or sensitive files are not marked as such. Pause to think about the implications here — one business-critical document that’s overshared with even a small percentage of your workforce is far more likely to be lost. A document erroneously placed in a broadly shared folder, for example, faces the cumulative risk of credential theft from any of that folder’s members. Again, a bigger blast radius.

  • Pay special attention to public folders.

While they’re great for sharing forms and company information, it’s not so great when someone drops a sensitive personnel file or M&A document in one. This happens all the time — now more than ever as people seek quick avenues for collaboration — so it’s one of the most important sources of risk to manage.

  • Remember that consistency is key.

Duplicate or near-duplicate files stored in disparate locations (like Box or as a G Suite document) should all have the same permissions for sharing. It’s wishful thinking to believe your work is done once you’ve located and protected the original file. You have to keep looking across all of your locations.

  • Prioritize visibility and monitoring.

It will stop trouble before it happens. An employee sharing intellectual property with one of their personal accounts, for example, is a red flag for IP theft.

Steps for Better Data Access Governance

So, what goes into a workable, effective data security strategy? There are three crucial steps you need to take:

  • Find and categorize your business-critical data.

A typical organization has millions of files and documents containing data that’s potentially important. About 27% of it is sensitive or critical to the business. There’s no need to invest too much energy on the documents and files that aren’t.

  • Identify at-risk files.

Just as not all of your files are critical to the business, not all of your business-critical files are at risk. Focus on data that’s both critical and at risk (about 3% of all your unstructured data), and you’ll face a far more manageable problem.

  • Stay sharp.

Keep looking and fix oversharing issues continuously and immediately.

In the not-so-distant past, the task of discovering and categorizing the data contained in millions of user files was akin to trying to find the wreck of the Titanic in the North Atlantic. The vast ocean kept her veiled for decades, but advanced technology — in the form of a deep-water camera platform — eventually found the ship on the seabed.

Data security has long relied on dated search technologies and hit-or-miss user mandates (i.e., user-supplied sensitive data identification) to locate and protect business-critical data. Now, emerging artificial intelligence solutions are our deep-water camera platforms, giving us the ability to find and identify even the most well-hidden files and data. Take this time to secure remote collaboration and keep your business moving forward — securely.

Share on twitter
Share on linkedin