Balancing collaboration with risk

I work with a large number of enterprises across the APAC region who are facing a daily battle - how do they provide the business the capability they require, the ability to share data, without causing a risk, revenue or reputational issue?

I ran a webinar on this exact topic yesterday.

Security must start with the data first

Why is an attacker hitting your endpoint? Your network devices? Are these devices the ultimate target? Or are they just a means to an end?

Attackers want your data. Think of your data as the gold in a bank vault - no one is robbing a bank to steal the pens. And we know that attackers are more motivated and sophisticated than ever. Attacks are more targeted, and happening faster than ever before - the average duration of an attack dropped nearly 95% between 2019 and 2021. And the attackers want your data - they specifically intend to steal it, so they can extort you, or at least cause significant reputational harm.

Attackers aren’t just your traditional cybercrime groups, they are insiders, either malicious or negligent. Insider threats are occurring at far higher rates than ever before, while causing significant reputational and revenue impact. The average annualised impact of insider threats has risen 85% in the last two years. And we know that malicious insiders deliberately and covertly steal data using their levels of access.

Protecting your endpoints and your network is absolutely critical, but it's not the entire story. In fact, it shouldn't be the primary mechanism of defense. If the data is the ultimate goal, why not protect that first? You can't catch what you can't see, so you can't detect a threat unless you're watching the actual target of that threat - the data.

If you use these new collaboration systems, which are built from the ground up in order to encourage your users to share data fast, you potentially put that data at risk if you aren't otherwise securing the data. You are delegating access control of that data down to your users. And let me put it bluntly - your users are expecting IT security to have solved this problem. They expect you to have technical controls in place to ensure the right levels of access.

What is data first security?

Fundamentally it means flipping the traditional "outside-in" security approach on its head. This traditional approach assumed many things, like high walls and strong perimeters, and these things have changed dramatically over the past few decades. A massive shift was already happening in this space through the 2010s, then COVID was the final straw. The network perimeter can no longer be considered a strong security boundary.

To use the bank analogy again, banks are incredible at detecting fraud. If my credit card is compromised, I can expect a phone call very quickly to alert me. The way that banks have become so skilled at detecting this behaviour is because they watch the money, the transactions. Think of your data the way the bank thinks about their money, and watch it relentlessly.

When I say data first security, I literally mean thinking of the challenge of enterprise security from the lens of the data first.

Can you answer these three questions about your data?

Where is my most sensitive data located, and how sensitive is it?

Do only the right people have access to this data?

Is the data being used appropriately?

I'd argue that an honest assessment of these questions is absolutely critical to any enterprise that holds valuable data and wants to take advantage of the new world of collaboration. Ask yourself these same questions before a move to a new collaboration system; it will give you some real insights into your actual risk posture.

It's actually quite simple to achieve this, if you put the data first. There are three lenses you need to use to look at your data to ensure you are protecting this asset like a bank protects their money.

Access

Who has access to my data? Is it the right level of access? Does the entire organisation have access, or has my data been shared out to the entire internet?

Usage

How is my data being used? Who is creating, accessing and modifying my content? What time of day is it happening, and from where?

Sensitivity

What's the classification of my data? Is my data protected by regulatory controls? Is it market sensitive?

Summary

Without considering these three lenses into your data, it's extremely difficult to quantify and manage risk. If you don't know the sensitivity, how do you prioritise?

If you don't know the usage, how can you actually move towards a zero trust, or least privilege model?

If you don't know accessibility, you can't possibly understand the risk. The most sensitive content in my whole enterprise isn't at large risk if only a handful of the right people can access it, but moderately market sensitive information can cause a huge problem if the entire organisation can access it.

And if you’re not putting data at the forefront of your security posture, you’re not protecting the thing the attackers, or the insiders, are really after.

I want you to take advantage of the incredible offerings that modern collaboration systems bring us. The ability to work from anywhere, with anyone, on any device. The ability to share data within teams, between teams, and between organisations. But I want it to happen safely, and that means you must start with the data first.

Reach out if you'd like to talk further about data first security.