As we approach the cusp of the second decade in the 21st century, Corporate India is staggering recovery from a decade of data penetration and breaches from external person/s, organizations, and some even from enemy state-backed organizations.
But I ask you this simple question. Who can cause you more damage, a thief who has entered your house, has limited time and movement abilities to find, secure, and escape with your precious life’s work- or is it your trusted employee who knows where you keep your valuables and your schedule and one day become disgruntled.
Historically, outsiders typically carry out the data breaches that make the news. Outsider threats are generally the threats that have been addressed with traditional security measures such as Firewall, DLP, Gateway Protection, etc. Let us call these a function of Data Security.
The risks of insider threats are completely ignored compared to outsider threats. Insider threat breaches can cost hundreds of thousands of dollars (often millions more). Increasingly companies are becoming more aware of the risks that insiders can pose to the company’s data security today than in the past. It’s the threats that originate from inside that are much more difficult to prevent and detect using one-size-fits-all security measure. The function of these would be categorized as Data Protection.
INSIDER Threat contributes to more than 64% of data breaches in any organization. Digital Guardian
36% come from ignorant or careless user actions that inadvertently cause security breaches.
52% of employees see no security risk to their employer in sharing work logins. Insider threat personal study – ISDecision
The Net result is that Indian Companies are incurring approx.Rs. 54,210/- per employee per year as Cost of Data Breach. The European Union much more so than the U.S.A. has known and recognized this fact since the late 1990s and laid down legislation to the effect. We must strive to understand how to go about securing one’s own unstructured data, so we must ask ourselves the following questions:
- WHAT Data is truly Sensitive?
- WHO Should have Access to it?
- HOW is the Data to be Handled?
- WHEN should the Protection Policy (in your organization) change?
- WHERE Should the Data be Protected?
In large and complex organizations human error permeates the answering of the above as data that is sensitive to one part of the organization may not be to another, or simply that a well-meaning employee could erroneously share that data outside the organization, or worse yet- a malicious insider has decided to use that data to his / her benefit thereby hurting the organization.
Therefore it becomes critical to take the decision making out of the hands of the users and make the same an organization-wide POLICY DRIVEN decision which can be enforced through role / user-based access control policies.
Now how do we do that? In short- you have enterprise security in place for external threats, you must simply complete the “Enterprise Security Puzzle” keeping in mind your internal threats. To put it simply- you must answer the above questions for yourself, put policies in place (usually hundreds) to take the decision out of the hands of the user, and choose the right software tools to enforce these hundreds of policies in you regular course of work; making sure to evaluate the policies and make necessary changes after the fact.
Why should this matter to you?
Forgetting for a moment that the RBI (for Banks and NBFCs), IRDAI (for Insurance Companies and Brokers), and SEBI (for Listed Public Entities) have already issued guidelines for Data Protection which will soon become a tangible law with a roadmap for implementation- (briefly put) it has been known to Increase Security, Improve Compliance, Decrease Costs, and Improve Productivity…not to mention reduce monetary loss arising from security breaches.
It is simpler to say all these things rather than act on them simply because each organizational environment is different and complex at the same time. But here’s the silver lining to this dark and ominous cloud- THIS IS BEING DONE IN THE EU FOR THE LAST 20+ YEARS. The products developed by OEMs for this market have encountered all the above problems and much more and been effective despite the facts. I mention the EU because the guidelines issued by the regulators are based on the laws already enacted by the EU. So, in effect, A BEST PRACTICES GUIDEBOOK IS ALREADY WRITTEN FOR YOU.
You’ll ask yourself:
- Can I Enforce Corporate Policies?
…and the guidebook will tell you: That the solutions on offer enforce corporate policies and do not rely on users to know, understand, reason with or be willing to apply policies to data
- Can I allow it via any media?
…and the guidebook will tell you: That the solutions on offer allows data to be shared via any media and still uphold corporate policies
- Can I have a zero extra click environment to achieve it?
…and the guidebook will tell you: That some of the solutions on offer do not impact on users’ workflows, as it does not demand users to click on any extra buttons, pop-ups, or combo boxes, the remaining impact minimally.
- Can I not need to onboard “externals” into my systems and not require to own nor software license?
…and the guidebook will tell you: That some of the solutions on offer do not require enterprises to onboard, nor manage “external users” identities’, but the other has a varying degree of complexity in terms of a solution.
- Can I then know who did what, when and how?
…and the guidebook will tell you: That the solutions on offer deliver a comprehensive audit trail that enables leveraging SIEM tools to do data analytics
Secure Information Sharing Enabled
The work has already been done for you, now it becomes a matter of “ORGANISATIONAL WILL”. Will you / your organisation take lead?
As I come to the end of my article, I would like to thank each and every one of you for taking the time out to read this article and more so for the effort, you have put in to understand how it pertains to your organization. Thank you!
Views expressed in this article are the personal opinion of Utkarsh Morarka, Head- Businesses Development, IndusOne Business Solutions Pvt. Ltd.