Last week I had the opportunity to attend an event on 3rd party data security and risk. Throughout the event, I talked with folks from many different industries and in many different roles. I spoke with auditors, general IT managers, storage administrators, CIOs, and of course, security professionals.
What is the Top Priority for Reducing Risk?
Everyone shared one common concern:
How can we reduce risk and protect our clients’ data?
One executive was asked, “Which area would you consider your number one priority for reducing risk?” His decisive answer was that, of all the areas of risk his massive enterprise faces, priority number one is unstructured data security.
This shocked me a bit at first, but when you think about it, it makes perfect sense. According to Gartner, unstructured data accounts for more than 80% of all organizational data, and it’s growing approximately 50% every year.
Even data that is normally stored in databases or apps is regularly being dumped into spreadsheets for analysis, PowerPoint slides for presentations, PDFs for reading, and email for sharing between teams.
When you think about it this way, it becomes very easy to see why unstructured data is the highest risk area for many IT departments.
Compliance and Regulations
In addition to the intrinsic motivation for securing unstructured data, external regulations such as SOX, HIPAA, and PCI are forcing organizations to put processes in place to ensure the protection of 3rd party data. Unfortunately, most organizations don’t have an efficient and affordable way to put these controls in place and prove that they’re being enforced.
An auditor I spoke with mentioned how difficult and time-consuming it is to perform attestations, and how, for most companies, entitlement reviews are manual and painful processes that don’t really accomplish the end goal of protecting data.
Where Do We Begin? A 5 Step Guide
If you are trying to start a risk management project in your organization, here are some actionable ideas on what to focus on:
1. Identify your most valuable assets
All 3rd Party data is valuable. Our clients trust us to manage and protect all of it. But it is critical to pick a starting point. To do this, talk with data owners and key stakeholders to find out which types of data are the most sensitive or most valuable.
2. Locate your most valuable assets
You can’t protect sensitive data if you don’t know where it resides. Is it in the CEO’s mailbox? Is it propagated across all your Windows file servers and NAS devices? In order to do this at scale, you’ll need a data classification framework that can scan files on your network for sensitive content indicators.
3. Identify where sensitive data is overexposed
You probably found a ton of high value data in step #2. Now you have to figure out who can access that data and prioritize data sets that are wide-open to everyone.
Many of us, when we move to a new home, we tend to change the locks. Why? Because we don’t know who has had a key in the past – the owners, realtors, past owners, builders? This represents a big risk for us and our families.
The same principle applies with 3rd party data. We need to identify who can access it, and what type of access they have. Then we can identify which data is overexposed, and where permissions need to be tightened up and assigned owners.
4. Monitor Data Access
As my good friend @rsobers says: Context is king. Part of reducing risk is monitoring who is actually accessing the data and what are they doing with it. If we’re constantly monitoring access, we can identify patterns in user behavior and alert when suspicious activity occurs. And if we store the audit data intelligently, we can use it for forensics, help desk, and stale data identification.
5. Use Automation
Are you ready to implement steps 1-4? Do you have an army of IT staff with nothing planned for the next 50 years? Luckily, that won’t be needed. You can use automation to identify the most critical data, understand who can access it, and monitor what they’re actually doing with.
By leveraging automation to provide your security intelligence dashboard, you can spot problems and then use automation (again) to simulate changes and automatically execute the remediation.
There you have it! Go forth and protect your customers’ data! Oh, and by the way, there’s a 6th step that doesn’t require IT involvement at all. Ask us about it.
Are you curious to see how your company measures up? Get a free data protection assessment. We’ll scan your infrastructure for holes and help you plug them with automated data protection and management software from Varonis.
Photo credit: http://www.flickr.com/photos/fayjo/