Protect Your Sensitive Content With These Ten Best Practices
Organizations are under constant attack by bad actors trying to access sensitive information like PII, PHI, and IP. Your third-party workflows, the channels your employees use to share confidential information with trusted external parties like lawyers, customers, and partners, are a gateway leading straight into the heart of your enterprise.
These external workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and leaving your organization. A comprehensive defense entails securing, monitoring, and managing all third-party workflows, including secure email, SFTP, and secure file sharing, among others.
In this post, the first in a series, I’ll provide an overview of the common external workflow threats and the key strategies CISOs must employ to avoid a data breach. Employ these ten best practices to protect your sensitive content and ensure bad actors stay out of your business. Subsequent blog posts will focus on each individual sensitive content best practice.
Sensitive Content Protection Best Practice #1:
Build a CISO Dashboard to Visualize the Threat Surface
You can’t defend what you can’t see. A CISO Dashboard lets you visualize who is sending what to whom. Once you have the data, you can create a clear picture of the threat surface with real-time visualizations that answer the most important security questions about the sensitive information entering and leaving the organization.
Sensitive Content Protection Best Practice #2:
Secure Third-party Communication Apps
Limit threats to your third-party workflows with a secure outer perimeter around the applications you’re already using. Secure and restrict access to the web, mobile, office and enterprise apps that enable file sharing. Limit these to an approved set of apps, and block the installation and use of unauthorized file sharing applications.
Sensitive Content Protection Best Practice #3:
Make Secure Third-party Communication Easy for Users
You must make third-party communication secure, but also make it easy to use. Secure plugins that connect to Salesforce, G Suite, Oracle, Microsoft Office and other enterprise apps empower employees to use the systems and apps they already use, but with added security and governance capabilities. Sending, receiving, saving, and retrieving files should be very simple to ensure compliance without compromising productivity.
Sensitive Content Protection Best Practice #4:
Unify Access to Enterprise Content Repositories
Unified enterprise content access to on-premises ECM systems like SharePoint or OpenText, and cloud storage systems like Box, Dropbox, and OneDrive, reduces complexity and provides an internal security checkpoint to protect your most sensitive information. If these systems can be accessed without requiring a VPN, even better.
Sensitive Content Protection Best Practice #5:
Maintain Control of Your Most Sensitive Content
Resist the siren song of the public cloud. The allure of cost savings and efficiency gains are quickly forgotten once your organization’s most sensitive information is exposed by a misconfigured S3 bucket or a blind subpoena by law enforcement. You’re better off keeping your sensitive content safe and private with a hybrid cloud deployment or on-premises where it’s completely in your control.
Complete protection from data breaches, cyber attacks, and compliance violations requires defending the entire threat surface: the collective paths of all files entering and leaving your organization. [source: Accellion secure content communication platform]
Sensitive Content Protection Best Practice #6:
Encrypt Content in Transit and at Rest
The simplest way to protect your sensitive content is to encrypt it at every level, from physical data storage to network communications. Powerful data encryption in transit and at rest makes your valuable content worthless to everyone but you. If you store confidential documents on the public cloud, make sure you can bring your own encryption keys.
Sensitive Content Protection Best Practice #7:
Strengthen Security and Governance with Metadata
Sometimes it’s necessary to go beyond user and file privileges and encryption keys to protect your data at rest. Use transfer metadata such as sender, receiver, origin, destination, time of transfer, and content sensitivity to strengthen security and maintain governance as your data enters and exits the enterprise. You protect your external workflows when you have detailed information about your external workflows.
Sensitive Content Protection Best Practice #8:
Bring All Security Infrastructure to Bear
Infrastructure and endpoint security investments like firewalls and multi-factor authentication won’t guarantee your information stays secure because they don’t monitor and inspect every external file transfer. Security infrastructure integrations with your existing solutions including 2FA/MFA, LDAP/SSO, ATP, and DLP let you secure your organization on all fronts while maintaining complete visibility over all sensitive information as it moves through the enterprise.
Sensitive Content Protection Best Practice #9:
Develop Heuristics to Detect Anomalous Activity
Know who your organization does business with and what kinds of sensitive information is shared. If you see any aberrant activity that contradicts normal file sharing behavior – excessive file downloads by a single employee for example – you may have stumbled upon a potential breach or attack. Develop benchmarks and processes to identify and stop any potentially malicious activity.
Sensitive Content Protection Best Practice #10:
Block Breaches and Malicious Attacks Automatically
Detection and resolution are the keys to securing your most sensitive information and mitigating the impact of malicious attacks. Leverage visibility, governance, and threat detection capabilities to automate your incident response efforts. If done effectively, CISOs and their security teams stop threats before any sensitive content is lost, kill any unusual file transfers before they start, and isolate malicious files before they reach the enterprise.
These ten sensitive content protection best practices empower CISOs to defend the external workflow threat surface. As a result, they prevent a cyber attack or data breach, avoid a compliance violation or stiff fine, and keep their jobs.
In the next post, I’ll discuss how visibility of every file entering and leaving your organization provides organizations with critical visibility and trace-ability of all third-party workflows.