Artificial Intelligence, User Behaviour Analytics, Zero-Trust… these are the buzzwords currently dominating the security industry. The developments in cyber security technology over the last few years are incredible. They are developments that are essential in the progression towards a more secure world.
A key assumption in much of this development is that technology is required to mitigate risks created by human actions. To a certain extent, this is absolutely the right approach. However, despite everything we can do from a technology perspective, malicious actors will always exist. In addition people will continue making innocent mistakes. Technology cannot solve every problem.
How can we effectively mitigate this risk? This is where I believe companies need to adopt a more positive approach. An approach in which the aim is to transform humans from a security risk into a security asset. In short: user-driven security.
What do we mean by user-driven security?
User-driven security is a methodology which understands how people interact with data. Why people make mistakes and ways to identify and prevent innocent mistakes/malicious activity. Using these insights, businesses are able to implement a simple strategy that involves educating users to understand how to operate in a more secure way. It incorporates security policy as part of their day-to-day workflow. It then uses the information provided by users to enhance the cyber security technology within the business. This process can make businesses more secure and more efficient.
Why are people seen as a risk?
When you investigate the plethora of research available on the reasons behind, and causes of, data loss, it’s clear to see why people are such a risk. For example, The Information Commissioner’s Office (ICO) regularly produces statistics about the main causes of data security incidents. In cases where they have acted, human error and process failure tend to be the leading cause. More specifically, the reasons tend to be aspects such as: loss/theft of paperwork, data sent to the wrong recipient or loss/theft of an unencrypted device. It’s easy to see how and why these events can occur so easily. Let’s look at three of the key reasons:
- People are busy and are faced with growing mountains of data created every second.
- Data is becoming the most valuable asset a business has, which incentivises malicious actors to try and steal it.
- Businesses (and therefore, employees) don’t tend to understand the value of the data they create.
The effective use of technology does go a long way to overcoming some of these challenges. However, using technology alone still leaves gaps and this is where turning to your people can help. Below are three main steps you can take to turn your people from a risk into your greatest security assets.
1. Educate your users
Build a custom training programme for your employees that encompasses all areas of security but places a focus on data. This will teach users the value of the data they are handling. It should ensure they work with data in a way that complies with your internal security policies and adheres to the relevant regulations.
2. Classify your data
How can you appropriately protect data if you don’t know its true value? (Answer: YOU CAN’T!). In the same way that, when you move to a new house, if you had a lorry full of brown boxes with no labels, you’d be in a bit of a mess at the other end, exactly the same applies to data. You should be able to quickly identify how sensitive the content is and how it should subsequently be handled, stored and protected. This is where advanced data classification applies with both visual labels and metadata to ensure users and downstream technologies handle the data appropriately. Utilising a classification tool prompts users to classify data at the point of creation.
To avoid mistakes and further improve user education, the tool scans data to ensure the label selected adheres to your policies and prevents the ‘under-classification’ of data. So essentially working on a ‘Trust but Verify’ basis.
3. Enhance your existing technologies and enforce your security policies
User training and data classification enables businesses to enforce their security polices in a way that is difficult to achieve by any other means. The metadata applied during the classification process can be read by several complementary technologies and enhances their performance. For example, Data Loss Prevention (DLP) tools can simply scan the metadata and apply relevant handling rules based on this.
The introduction of user-driven security provides benefits to your organisation such as:
- Reducing loss of sensitive information.
- Increasing productivity.
- Remediation of processes.
If you know where your sensitive data is, you can control how it’s protected, where it’s stored and who can access it. As such, the risk of losing sensitive data is massively reduced.
Additionally, if you have a policy of, for example, encrypting ‘top secret’ data, it mitigates the damage that can be caused even if the data did end up in the wrong hands.
Improving productivity through data value
In terms of productivity, if users understand the value of the data, they will be able to make quicker and more confident decisions on how to handle it. DLP tools can prevent the loss of sensitive data but, in practice, what tends to happen is one of two things:
- The rules are too relaxed, which causes problems with security.
- The rules are too strict and block activity from happening, which causes problems with productivity.
Allowing DLP tools to read the metadata tags helps to overcome both problems.
Lastly, streamlining the processes around detection and remediation is dependent on some great tools available that quickly identify data/cyber-attacks and help to remediate them. These tools are to be driven by algorithms that read log/network information to identify anomalous behaviour. One of the most important components of these algorithms is context. The metadata tags added by data classification provide incredibly important context for these tools that impacts the way in which attacks are responded to.
The steps outlined above highlight the need to blend best practices in user-driven and automated classification techniques to meet the unique data security needs of your business both today, and tomorrow. Is your organisation able to classify its data?
Boldon James, is a leading UK-based technology company that provides powerful data classification and governance systems to enable customers to effectively manage data, streamline operations and proactively respond to regulatory change. Boldon James aims to promote its solutions to give enterprises unrivalled customer service and best-of-breed data protection and governance solutions. It helps many of the world’s most successful organisations take control of their business data. Boldon James takes pride in providing customers with more effective, secure and streamlined operations in order to protect their business-critical information and reduce risk.