Every day, another data exposure hits the news. Sometimes, it’s the work of nefarious, sophisticated cyber criminals to blame. But, just as often, these incidents are accidental.
You see, a data exposure doesn’t necessarily mean a cyber attack. In our hyper-connected, always-on, digital world, there are several ways that sensitive data can make its way to public areas of the internet, where it might be found by security researchers, members of the public or malicious actors.
Just last month, for example, Nestle admitted it experienced a data leak after “data of a B2B nature was made accessible unintentionally online for a short period of time.”
Unfortunately for organisations, regulators and the public don’t care whether you’ve suffered a data breach or a data leak. If data is exposed or stolen, this spells trouble for your company. Not only you could suffer reputational damage; under regulations like HIPAA and GDPR, there are steep compliance fines for companies that inadequately protect sensitive information.
So, how does data leakage happen? And how can you stop it? Below, we’ll dive into the common of business data leakage – and offer guidance on the processes, policies and solutions that can mitigate this risk.
- Human error
Since the dawn of computers, human error has been a potent threat to data security. Looking back at your own career, you’ve probably been responsible for at least one or two incidents of data loss or exposure. Employees, for example, may accidentally delete important files or share confidential information with the wrong person.
In the age of remote working and cloud applications, the security risks relating to human error have skyrocketed. Now, there is a considerable amount of sensitive data stored on the internet in applications like Google Workspace, Teams and Box. It just takes one wrong permission setting to expose huge troves of data to the unintended recipients accidentally.
- Shadow IT
Linking to human error is the risk of shadow IT. By this, we mean the use of IT systems like hardware, software and cloud applications without the knowledge or consent of a company’s IT department.
Shadow IT is a huge problem today. Microsoft research indicates that 80% of employees use applications the IT team hasn’t authorized, while McAfee found that the average company has about 100 known cloud services and a huge 975 unknown ones!
From an employee productivity perspective, it’s easy to see why people use unsanctioned applications. Personal preference, efficiency and collaboration are all common reasons employees look beyond workplace apps and download their own.
However, security-wise, this is a huge red flag for data leakage. Put simply, your IT guys cannot protect what they don’t know. They don’t have any visibility or control over these applications – or the data being shared with them.
This makes it impossible to protect against and detect data leakage, which is precisely how data exposures happen!
- SaaS applications
Software-as-a-service applications like Slack, Teams, Box and Google Workspace are the backbone of the modern organization. However, these tools are relatively new and traditional security solutions simply don’t protect data in them.
Traditional data loss prevention (DLP), for example, only protects structured data. It can’t recognize and discover unstructured data in chat messages, documents, images and other formats.
This is an issue. SaaS applications are running wild with unstructured data. Plus, with so many people accessing these apps and interacting with company assets in them, the chances of unintentional data leakage are huge.
Compounding this risk is the rise of the gig economy and outsourcing. Most organizations today rely on a blend of vendors, freelancers and contractors, as well as traditional employees, to operate. In this environment of extensive collaboration and access, there is more chance of accidental data leakage, especially amongst third parties who aren’t aware of your company’s data security processes and rules.
- Misconfigurations
A cloud data leak occurs when sensitive company data that is meant to be stored in a private cloud is unintentionally shared with the wider internet. It’s quite easy for this to happen. The cloud, after all, is hosted on the internet. It’s just a pocket of hidden space that can only be accessed with the right credentials and authorization levels.
Just one misconfiguration or error could result in a host of sensitive data becoming accessible to everyone on the internet – which, of course, is a huge breach of compliance regulations.
Generally speaking, there are two types of people who scan for cloud leaks: altruistic security researchers and nefarious cybercriminals. Even if your leak is discovered by security researchers who alert you, it will be almost impossible to demonstrate that hackers haven’t also accessed it.
How to combat the causes of data leakage
The four major causes of data leakage can be condensed down into two widespread issues: a lack of visibility and control over how data is used, who is accessing it and where it is stored.
On the flip side, If your IT team gains adequate, granular control over your sensitive data, they could prevent all these problems. Imagine if you could protect against the following…
- When someone accidentally tries to share a confidential file with the wrong person, the IT team could redact the sensitive information in real-time.
- When an employee uses an unknown application, the IT team will be able to discover it and protect sensitive data in it.
- When a contractor tries to download lots of company data on their device from Slack, the IT team could block this action.
- When a team member unintentionally configures a cloud instance to ‘public’, your IT team receives an alert – and your sensitive data in the instance is encrypted from viewing unless the user has specific access rights.
These scenarios aren’t hypothetical either. It’s entirely possible to protect your company from data leakage in the cloud. You just need the right solutions to do it.
SaaS DLP, user awareness and zero-trust are the way forward
That’s where cloud-based data loss prevention (DLP) comes in. These solutions work by discovering, monitoring and protecting sensitive data in cloud applications like Teams, Slack, and Google Workspace.
The best-in-breed solutions require little intervention. They use AI and machine learning to automate the process of data discovery and protection – only alerting your IT team to extremely high-risk cases that need their attention. Otherwise, the solution works in the background, ensuring that you meet your data security and compliance obligations.
SaaS DLP is best deployed in conjunction with a zero-trust mindset. To harness the power of cloud-based DLP, you will first need to classify your data based on its sensitivity and decide who should have access to what.
Zero-trust is how you determine this. It’s the idea of “trust no one, verify everyone”. Employees and third parties should only have access to data on a need to know basis. These access permissions are crucial to a successful DLP strategy.
Lastly, building a culture of security is vital. Your employees should be champions of security, not working against it. That’s exactly why our SaaS DLP solution includes nudge prompts, a form of dynamic user training that ‘nudges’ users towards healthy security behaviors as they work in SaaS applications.