This article originally appeared in Forbes.
I want you to think back to before the pandemic. Before we all worked at home, lost track of what day of the week it was and instituted mandatory happy hours on Zoom. Before, in-person brainstorming, whiteboarding and water-cooling was an integral part of my company’s culture. We build complex software with a lot of moving parts. Our highly skilled team has to work closely to make sure all the pieces fit.
I’m fascinated by how collaboration is evolving. Now, instead of grabbing a conference room for an impromptu design session, we’re on Zoom or sharing a document to get the job done. And I don’t think the tech sector is unique. Leaders of knowledge-creation teams in every industry are seeing drastic changes to culture and collaboration.
I am also watching these changes from a security professional’s perspective with trepidation. Pandemic fears and work style changes are undeniably raising the risk of data loss. Government sources and industry research back these fears up:
Of course, threats to data security were on the rise even before the pandemic. Enterprise data is surging and harder to manage than ever before. (How many cloud-based storage and productivity apps store your data now compared to five years ago?)
IDC forecasts 80% of all enterprise data will be unstructured by 2025. Unstructured data is not organized in a consistent way, as it is in a database. The files and documents created and managed by employees, for example, are typically unstructured. And data that is hard to find, hard to evaluate and hard to protect is a recipe for a big security blast radius.
Here are a few things your security team can do to stay safe now and after we’re all back in house:
This is the “principle of least privilege,” and it’s a good philosophy to use on every account (not just IT admin accounts) to minimize the blast radius, should account credentials be stolen.
(either inside or outside of your company). Because sharing is incredibly easy for end-users, it’s vital to quickly identify and remediate violations. Oversharing happens whenever data access settings are too permissive, files are stored in “open” locations or sensitive files are not marked as such. Pause to think about the implications here — one business-critical document that’s overshared with even a small percentage of your workforce is far more likely to be lost. A document erroneously placed in a broadly shared folder, for example, faces the cumulative risk of credential theft from any of that folder’s members. Again, a bigger blast radius.
While they’re great for sharing forms and company information, it’s not so great when someone drops a sensitive personnel file or M&A document in one. This happens all the time — now more than ever as people seek quick avenues for collaboration — so it’s one of the most important sources of risk to manage.
Duplicate or near-duplicate files stored in disparate locations (like Box or as a G Suite document) should all have the same permissions for sharing. It’s wishful thinking to believe your work is done once you’ve located and protected the original file. You have to keep looking across all of your locations.
It will stop trouble before it happens. An employee sharing intellectual property with one of their personal accounts, for example, is a red flag for IP theft.
So, what goes into a workable, effective data security strategy? There are three crucial steps you need to take:
A typical organization has millions of files and documents containing data that’s potentially important. About 27% of it is sensitive or critical to the business. There’s no need to invest too much energy on the documents and files that aren’t.
Just as not all of your files are critical to the business, not all of your business-critical files are at risk. Focus on data that’s both critical and at risk (about 3% of all your unstructured data), and you’ll face a far more manageable problem.
Keep looking and fix oversharing issues continuously and immediately.
In the not-so-distant past, the task of discovering and categorizing the data contained in millions of user files was akin to trying to find the wreck of the Titanic in the North Atlantic. The vast ocean kept her veiled for decades, but advanced technology — in the form of a deep-water camera platform — eventually found the ship on the seabed.
Data security has long relied on dated search technologies and hit-or-miss user mandates (i.e., user-supplied sensitive data identification) to locate and protect business-critical data. Now, emerging artificial intelligence solutions are our deep-water camera platforms, giving us the ability to find and identify even the most well-hidden files and data. Take this time to secure remote collaboration and keep your business moving forward — securely.