If It’s Broken, Then Fix It. Can We Use Some Common Sense?
I think you may be aware by now that ‘negligent users’ are very often responsible for data security breaches. Other reasons for breaches are the lack of a security culture, users sharing passwords, and malicious insiders. These causes occur in organizations of various sizes and industries, which indicates that all organizations experience the same frustration of user risk. But – and here I sound like a broken record – how many organizations conduct security training on a regular basis?
Users are part of the attack and the defense strategy, which illustrates the need for ongoing training and establishing a security awareness culture. The goal is to get users to stop entertaining phishing scams, clicking on suspect links, opening dubious documents, and providing credentials to fake websites. Unless users are involved and trained, this insider risk will remain a key concern. If you don’t feel anyone in your organization is capable of creating a training module, there are companies that will do it for you, or you can put together a plan using online tools and recommendations.
Then we come to the ‘no budget’ refrain. Everyone is concerned about security, internal and external, yet no one is willing to pay for it and solve most of the problems – sorry, you will never solve all the problems relating to end users. I find this absurd. People bemoan their lack of budget. I am in marketing. Don’t you think some of my initiatives have no budget? Even though outside the primary role of the IT department, a return on investment and value proposition can be easily quantified.
OK, you have a scenario where ‘end user clicks on malicious link = average cost of data breach is $3.86 million.’ Hey, training is cheap. I would hope that you spend a tad more time explaining the ramifications of a data breach, such as permanent loss of business, brand damage, decreased stock value, technical investigations and recovery, legal and regulatory activities, and lost reputation – feel free to add more.
A significant obstacle with most software solutions is the challenge of prevention, as the identification process does not typically take place in real time. So when a vulnerability is identified, it is usually too late to prevent the breach. For example, when using OneDrive for Business in the SharePoint Online Office 365 environment, 17.4 percent of new content uploaded every month contains compromised data. Unless it is identified and undergoes appropriate disposition, the content retains the potential for data breaches, and the quantity of compromised data increases exponentially.
Although some security applications provide the ability to recognize industry-standard descriptors, such as a social security or credit card numbers, not all address other sensitive and confidential information that an organization does not wish to share, such as financial records, new product specifications, and pre-published stockholder information. Don’t forget privacy data, which can exist anywhere. Most vendors rely on the use of regular expressions, but their capabilities are limited, and they require knowledge to create them. Vendors offer these as the solution but, in reality, they are not.
The Concept Searching approach is fully customizable and identifies unique or standard privacy descriptors. Content is automatically meta-tagged and classified to appropriate nodes in a taxonomy, based upon the presence, or absence, of the descriptors, phrases, or keywords from within the content.
Once tagged and classified, the content can be managed in accordance with regulatory or government guidelines. The identification of potential information security exposures includes the proactive identification and protection of unknown privacy exposures before they occur, as well as monitoring organizationally-defined vocabulary and descriptors in content in real time, as it is created or ingested.
Our solution also addresses compliance with General Data Protection Regulation (GDPR), payment card industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and more.
May I suggest you request a demo for you and your colleagues? Seriously, let us know when it would be convenient for you.