The COVID-19 crisis has transformed how and where we work. And that has profound implications for data security. When shelter-in-place orders started last March, IT organizations did heroic work expanding their VPN capabilities, distributing secure endpoint devices, and accelerating adoption of collaboration platforms such as Zoom, Microsoft Teams, Google Meet, and Slack. Stanford researchers have found that 42 percent of our nation's labor force now works from home full time, accounting for more than two-thirds of all U.S. economic activity.
Once the crisis subsides, employees will continue to work remotely in some form and use collaboration tools. We'll share more data, on more machines, with more people than ever. And that’s good. More information usually leads to faster decisions, better outcomes, and more successful organizations. But it can also lead to problems when companies are not properly prepared. Because as companies use the collaboration tools the potential for breaches increases and data spills become harder to detect.
With a remote workforce, companies now have a much more difficult insider threat problem to manage. Employees who might be tempted to steal intellectual property and take it to their next job are more likely to do so when they feel like nobody's watching. In Code42's February 2020 research, nearly one-third of the 5,000 knowledge workers we surveyed say they used cloud-based collaboration services to exfiltrate data from their employers.
A bigger problem may be inadvertent breaches caused by a lack of clear policy guidelines, insufficient training, or human error. Just last year, nearly 100 companies were found leaking sensitive information online because their employees had misconfigured their Box.com sharing settings.
By making the Box folders publicly accessible, these employees unwittingly exposed social security and bank account numbers, employee names and addresses, project proposals, design prototypes, and financial and customer data. Until they were contacted by security researchers, the companies had no idea this information was accessible to anyone who had (or could guess) the right URL.
Security professionals navigating this brave new world of remote collaboration need to focus on the three “T”s of insider risk management: transparency, training and technology:
- Transparency. People want to work for a company that’s transparent and trustworthy. It’s important to tell employees exactly what the company does to monitor for insider risk. If the organization monitors endpoints to look for data that’s leaving the enterprise, companies need to tell employees this. Make sure they understand that the company trusts them, but that corporate IT will verify that they are living up to their obligations.
- Training. Companies want employees to use collaboration platforms intelligently and in line with corporate policy. That means the company needs to first establish a well-thought out policy, and then teach team members the right ways to handle data. So the next time Bob decides to share a company file on Dropbox, the IT staff can email him a video demonstrating how to use OneDrive, the corporate sharing tool. Also, remind employees that work they create for the company will remain company property. If a John Deere employee builds a tractor while working for John Deere, she knows the tractor must stay when she leaves the company. The same holds true for the software that runs the tractor. The company also owns the software because they paid the engineer to write the code.
- Technology. Even with the best training programs and being consistently transparent, there are still risks to company data from the actions of insiders. Companies need technology to verify that the team abides by the company’s policies, not downloading lots of data at odd hours of the day and saving it as ZIP files on thumb drives. The organization needs an automated way to detect when data gets moved in anomalous ways and then flag those events for further scrutiny.
With a highly collaborative and remote workforce, companies need to deploy technology that tracks all data movements, but doesn’t block people from accessing and sharing data they need to do their jobs. And the technology will need to easily direct employees back to the training they need when they go astray; and it will need to easily work with HR and legal to build a case if the intent of the employee was malicious.
Technology such as the data loss prevention tools designed 10 years ago cannot solve today’s problems. Legacy security products are not effective in this new cloud-based, work-from-anywhere environment. Companies don’t want to keep their employees from sharing data, but they can’t fly blind to where their data resides either.
We need a new approach. By encouraging collaboration while keeping a closer eye on data, we may yet emerge from this crisis with our sanity – and security – intact.
Joe Payne, president and CEO, Code42