Newsletter #6: Preventing Data From Leaving Your Org
Multiple times last week, I dealt with possible data information leaking out of my client organizations, from people using their personal laptops to do their work to others forwarding work emails to their personal emails. Yikes!
Keeping information inside your organization is hard!
What to do?
Well, there are a couple of approaches. You can implement preventative controls to stop people from doing some of these things, and you can try to change behavior with training and social campaigns. Both have their pros and cons, and it really depends on the data you’re handling, your company culture, the number of employees, and the size of your IT or Security team.
Let’s talk about some available controls.
In Gmail, you can turn off the ability to forward email outside your organization by turning off Automatic Forwarding (enabled by default). I personally don’t see any good reason not to do this (see collaborative inbox), but you can always make exceptions for different groups of people if needed.
We can also limit certain groups of people’s ability to share documents outside the organization or with certain domains. You can even limit the ability to send emails outside the org altogether for certain groups. Or, maybe, even just create alerts when documents are shared outside the org.
As you can tell, these controls can get quite onerous. We have to find the right balance.
Then, there is training and education. A training campaign should have the following goals:
- Spread awareness on the available technical tools for sharing information
- Educate and inform about the organization’s policies and implications for inappropriate data sharing
- Win the hearts of the people to protect the data as if it’s their own, and even get them to be security champions by being a part of the solution
- Make your employees feel like an important part of the organization and internally motivated to secure your data
As you can see, though, these are all solutions to a supposed problem, and they are not one size fits all.
However, I strongly recommend being problem-oriented and figuring out WHY people are doing this. Understanding the “why” is so important. Putting on that product manager hat and figuring out “why” will help you get to a better solution. Along the same lines, test and get feedback before rolling it out.
Data leakage prevention is a complicated topic, but just like anything in security, approach it incrementally, thoughtfully, and with empathy.
Take care,
Ayman
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.