Why data governance needs automation
Platforms like Microsoft Teams, Dropbox, Google Drive, Box, or Office 365 are great for sharing documents and can be really useful for team collaboration. But without the right measures in place it can be difficult to track where your data is being shared, by who, when and why.
Typically, files are shared 44 times more than their access is revoked. This leads to a spiral of out of control data. In their 2019 report, Varonis reported a ten-fold increase in the number of shared files from the year previous. With the increased levels of homeworking in 2020 and beyond, there will consequently be an unprecedented rise in this level of sharing, the unintended consequences of which could be a data breach.
Even before the current Covid-19 crisis, online crime accounted for half of all property crime in the UK (Anderson et al, WEIS, 2019). The costs are phenomenal; estimated at over $1.5tn per year globally (RiskIQ, 2019). Data breaches are a significant problem – providing criminals with personal account and log-in details and information with which to commit fraud and to commit further crime. This information includes personal details, intellectual property, financial and commercial information, human resources, legal accounting and contractual information, and governmental business.
It’s evident that from now on, we need to establish and enforce clear data governance policies and empower business users to control file sharing and avoid data breaches. Due to the spiralling volume of files this can only be done through automation.
In this paper we will take a closer look at the current volume and associated risks of internal sharing and how automation can mitigate both the volume and impact of consequent data breaches.
Internal actors a key source of data breaches
Of all information security threats, the ‘insider’ security threat usually isn’t the image that people’s minds go to first. Teenage hackers or offices full of reclusive geniuses, hacking away at the behest of their government maybe, but the costliest form of information security incident is none of these things. It is the incidents caused by regular, everyday staff members, acting mainly accidentally or oblivious to the damage they could cause by their actions, or lack thereof.
The insider security threat tends to occur at granular level, one document-at-a-time – not entire systems or networks at a time. This means that effective solutions (and useful conversations about them) are much closer to the business than they are to the IT teams responsible for technology. Our most vulnerable systems are those which store the documents – our collaboration, cloud storage and file sharing systems such as Microsoft 365, Sharepoint, FileShares or Microsoft Teams.
And insider incidents have a much higher likelihood of actually occurring, and often go undetected for months. Our tendency to focus on stopping ‘the big incident’ overlooks the fact that the sum total impact of the smaller incidents, occurring on a regular basis, can have a far greater negative impact on the business.
/ When we talk about the ‘insider’ we’re talking about regular, every day staff members working in the business. We’re also talking about external partners with whom information is shared.
/ In the first half of 2019 there were over 3,800 data breaches, exposing over 3.1billion records (RiskBased, 2019).
/ Approximately 35% of breaches involve internal actors
/ Yet on average companies have over 14,600 folders containing sensitive information open to every employee
/ 51% of companies found over 100,000 folders open every employee (Varonis 2019)
/ 22% of folders were open to every employee (Varonis 2019)
/ 17% (117,317) of all sensitive files were accessible to every employee (Varonis 2019)
/ Only 5% of information of that information properly protected (Verizon, 2020)
/ Shred-it’s 2019 Data Protection Report found that 43% of C-Suite executives (C-Suites) and 8% of small business owners (SBOs) admitted their organization had suffered a data breach. Of those organizations that have suffered a data breach, C-Suites and SBOs cite human error or accidental loss as a main cause for the breach – whether by an external source or by an employee/insider.
Updating permissions is now too voluminous to do manually
/ In 2019 every employee had on average access to over 17 million files (Varonis 2019)
/ 53% of companies found over 1,000 sensitive files exposed to all employees – up from 41% in the year previous (Varonis 2019)
/ 51% of companies found over 100,000 folders open every employee
/ 58% of companies found over 1,000 stale user accounts
/ 53% of data, on average, was stale
/ It can take 6-8 hours of work, by an IT professional, per folder to update permissions (to locate and manually remove global access groups to identify users that need access, create and apply new groups, and subsequently populate them with the right users)
Combine the amount of time required to update a folder with the volume of files out there and it’s easy to see that businesses have applied permissions to more files than any team of IT professionals can manage manually. This leaves businesses extremely vulnerable to data breaches and it’s only going to get worse.
This is where automation is key. The Torsion platform does this automatically, updating past, current and future permissions. It simply monitors data permissions in the background and prompts a business user if it finds something it’s not sure about. Updating permissions is no longer a function for the IT department.
The effect of Co-Vid 19 and increased homeworking
In a new report by IBM, remote work during COVID-19 was expected to increase data breach costs and incident response times.
Of organizations that required remote work as a result of COVID-19, 70% said remote work would increase the cost of a data breach and 76% said it would increase the time to identify and contain a potential data breach.
Having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.
COVID-19 has had a huge impact on the way we work and increased reliance on external cloud applications and collaborative working. Simply by increasing the number of files that are shared, the chances of a breach also increase. The number of shared files spirals out of control as there are typically no processes or automation to revoke access once it is no longer needed.
Because of the coronavirus furlough scheme, businesses have also had to re-assign responsibilities, take on temporary staff and/or flex their workforce wherever needed.
Granting temporary access to internal data, within a collaboration platform such as Teams or Sharepoint can often be a logistical headache: first establishing who needs access to what information; then updating permissions manually; and finally revoking that access once it is no longer needed. There can often be a period of a couple of weeks where employees can’t do their job as they don’t have access to the information they need. If access is not revoked when the temporary roles end, it leads to out of control access and potential security breaches.
Within the Torsion platform, businesses can grant temporary access to files and folders for a set period of time. Torsion automatically works out what information a team member might need, in addition to their existing permissions, and grants them access for a fixed number of days. At the end of the period the access is automatically revoked.
Peter Bradley of Torsion says: “Organisations are having to react to highly transient workforces and different ways of working at this time. Only with automation will businesses be able to stay in control of their data and act swiftly to ensure their teams have appropriate access without compromising their data security.”
When it comes to sharing files and compliance, you can’t just implement collaboration platforms such as Teams or Office 365 without implementing data governance policies.
But once you have communicated the policies and practices, how do you police them? You can’t stand behind your business users to make sure they are classifying the data correctly even when they are in the office. It is even less plausible to do it when your business users are working from home. And you can’t expect your IT team to do this within their role either.
The goal is to create a clear audit trail of who’s got access to which data, why and when with minimum resources. To achieve this you have to rely on an element of automation.
Peter Bradley, CEO of Torsion says: “Automating the business process of internal file and data sharing would eliminate the majority of human errors when it comes to cyber security.
“Employees are still best placed to know who should have access to their data but it’s important to support them with right technology to make the process of sharing data as easy and compliant as possible. However, expecting them to be aware of security breaches on a day to day basis when there is such a growing volume of files is simply unrealistic.
“It’s also no longer viable for a team of IT professionals to manually update the permissions within files and folders.
“By automating the process, business users and IT professionals can carry on with their main responsibilities confident that they are also keeping their data safe and secure.”
Torsion is an automated platform that works with collaboration tools to automatically monitor and detect any inappropriate access, out of date folders and permissions, or the movement of files. If anything doesn’t look quite right it will promptly alert a business user associated with the file and shut down any potential breaches. Owners or creators of files and folders can certify and revoke access themselves, taking the responsibility away from the IT function.