So far this year, the majority of data loss incidents have had one thing in common: they revolved around third party data breaches. It’s certainly not a new risk vector, but in our hyper-collaborative economy, it’s rapidly rising in its significance.
Whether you’re in financial services, telecommunications, manufacturing, or Hollywood, your greatest risk to data loss occurs when content moves outside of your direct control. But, we can’t afford to stop collaborating. What companies need is a way to keep control over this valuable information without paralyzing their ability to do business.
In other words, it’s time to rethink the way companies address vendor security. As more stringent data protection regulations go into effect (GDPR, the New York DFS cyber-security requirements, etc.), it will be up to every company to keep pace. Companies need strong preventative controls that protect their data as it leaves their hands, especially when it’s stored with third parties. The bigger, stronger walls we’ve built are excellent at keeping attackers out, but they can’t protect data we’ve entrusted with others.
But, by applying security and identity-based access controls directly to the data, companies can mitigate the risk of human errors that occur when employees accidentally autocomplete an external email address, forward a file they shouldn’t, or move sensitive data off of controlled systems. While people will always be a weak link in the information security process, by applying encryption to sensitive data by default and setting automated policies and controls, IT can take the human decision making out of the security equation.
To accomplish this task, we’ve compiled five recommended practices that can help organizations move to a more proactive, data-centric security model.
First, take a data-centric approach
By taking a data-centric approach, organizations can enable their employees to confidently collaborate freely with whomever they choose, all while ensuring the highest levels of security, visibility and control.
Encrypt more data by default
Another mistake companies make is putting complete trust into their employees to do the right things. Let IT make it easy for them and set policies that will automatically be applied when data is created or shared externally.
Plan for auditing and compliance now
With all the new regulations in the US and abroad, almost all companies are now required to provide a paper trail or audit log of what happens to their data. While it’s a requirement, taking steps to plan for these audits today will make you incredibly prepared in the event of a third party data breach. When you can see who has tried accessing your data, and where, you can mitigate the risk of having to issue a notification, and can take steps to minimize future issues.
Make identity a central component of security
Tying access control to identity gives you control over who has access to your data by making users authenticate to you directly using an email alias. This can prevent forwarding information to unauthorized users or accidentally fat-fingering an email address. Giving data owners the ability to control who can access your data and limit what they can do with it once it’s accessed provides an extra layer of security.
Don’t just monitor: take direct control of your data
In the event of a third-party data breach, or if your data accidentally finds itself in the wrong hands, you need to be able to kill access to it at a moment’s notice. No matter how high or how strong we build protective barriers, we’re always going to be at risk of a breach, and a hacker’s biggest win is gaining access to your data. Proactively locking down any data they may get their hands on is a huge advantage.
By taking a data-centric security approach, you can protect your team against data loss, even for files that have left your physical control. Moreover, you can proactively prevent unauthorized access, and track precisely who should (and who should not) have access to your data. This approach will let you secure files and communications throughout their entire lifecycle, and you’ll be confident that even if your data is sent externally, you can still verify that it was used appropriately.
To see how VERA is helping companies across the Fortune 1000 tackle these issues and how you can adapt your team to a more data-centric strategy, check out our Definitive Guide to Data Security.