Innovation and the subsequent shift from on-premises applications and infrastructure has completely altered the role of IT across the business landscape. While the cloud is undoubtedly a key enabler for any business wanting to succeed on a global scale, organizations are subsequently spending a major part of their IT budget every year on a multitude of security solutions to avoid data loss. The challenge is that data is scattered across a variety of different locations in a structured or unstructured format and different file types. Organizations have to make sure that they control all sorts of channels, where data can get lost accidentally or on purpose, like email, endpoints, cloud and even USB sticks…
However, IT teams face a number of hurdles in controlling these channels, such as overreliance on manual operations, alert overload, and security gaps in a multi-cloud environment. Different security point products that are operating in silos without correlation and triggering random alerts are the core of the dilemma when it comes to monitoring and preventing data loss. When those hurdles are combined with issues around legacy infrastructure, complex tech stacks, and a lack of visibility through a single source, organizations are operating in a house of cards and setting themselves up for failure to prevent accidental or malicious data loss.
While it’s true that there has been a 288% increase in threat actors targeting the cloud, recent research from Stanford University finds that approximately 88% of all data breaches are caused by employee mistakes. What’s clear is that whether it’s at home, on the move using a mobile device, or in the office, the task for organizations now is to secure an increasingly mobile workforce. By 2025, cloud data is due to grow from 33 ZB (zettabytes) to 175, and 95% of workloads will be in the cloud. Prioritizing the security of data in the cloud is becoming non-negotiable for organizations.
With that in mind, here are five of the most common ways that a company may lose sensitive data and how to mitigate these issues as efficiently as possible.
1.Accidental & negligent data loss
For employees it is easy to adopt negligent practices in handling data. More often than not, data loss is not born out of malicious behavior and is usually due out of convenience or trying to be more productive, laziness, or even a lack of awareness about a corporate data security program. For instance, an employee might upload data to an unsanctioned cloud application, or copy data to personal cloud storage, instead of following approved corporate processes. Awareness training for employees on what can be sensitive data adds to the level of security in the first place.
The key to solving this issue is through a practice that essentially recruits the end user into the data protection program through workflow automation tools. These tools allow the security team to have an ongoing conversation with the end user, and where they really drive value is through coaching end users. The Data Loss Prevention (DLP) program allows IT teams to spot patterns and train people to learn from their mistakes, helping users to make smarter decisions. Additionally it is key for organizations to classify their data according to criticality and sensitivity and set up prevention strategies against these ways of accidental data loss.
2.BYOD: Bring Your Own Device
Across the modern working landscape, it’s becoming increasingly common that contractors and third parties are using their own devices to access corporate data. Whereas in the past, IT might have shipped a corporate device over to a temporary team member so IT has full control of what the person has access to, it’s now a lot simpler and more streamlined to allow people to use their own devices to conduct their work. However, this modern way of working comes with added risk. For instance, a contractor might find a document particularly interesting and decide to save it for later, or even access a risky website. So, the question now is how to enable productivity without allowing corporate data landing or remaining on a contractor’s laptop once their contract is over?
Here, browser isolation can be a valuable solution. If a contractor needed to access Salesforce for example, the IT team can enable them access via a cloud browser rather than direct entry to the application. This enables the contractor to access the data as they need to conduct their work on their personal device, but IT will retain overall control of what data they can use and move while in the browser. IT might limit the contractor from being able to download any data in the browser onto a hard drive or not allow them access to print hard copy. Essentially, your organization can enable the use of somewhat risky applications and for third party team members to retain their most productive ways of working, without incurring risk through or to the user.
3.Gen AI Apps: Enabling productivity, safely
Since Gen AI catapulted to the forefront of the business conversation in late 2022, organizations and their employees alike have been experimenting with the resulting applications. Given their obvious productivity enhancing abilities, users are gravitating towards them so that they can do their jobs more efficiently. For IT departments however, it’s essentially another example of a shadow IT application that might lead to loss of sensitive data.
Generative AI is what can be called a big brain in the sky. By which is meant it retains the information that it is fed without understanding the level of confidentiality. Say, for example, the communications team is preparing a press release about an acquisition that your organization had made and they used a GenAI tool to help them. They are risking the tool passing on that information to someone outside the company. If they happened to ask the tool to share the latest news on your company, it could easily pass on embargoed and sensitive information without realizing that it was sensitive. At the moment, we’re seeing varying levels of response from IT teams. Some organizations are blocking GenAI tools outright, some are creating their own applications, and some simply don’t know how to respond to the issue.
The truth is, that end users can’t be stopped from seeking out the benefits of these applications, so organizations need to have a structured plan in place to prevent data loss. Once more browser isolation can be the security approach of choice as previously mentioned for BYOD. Users can be allowed to work with the application but the corporate IT has control of the Gen AI Session to prevent certain data which is classified as sensitive being stored by the application for public use. Additionally, DLP inspection tools can drive real value through their automated policies. They can identify if something such as source code is headed to a Gen AI app, and block it accordingly. When choosing a DLP tool to tackle Gen AI apps, the suggestion is to look for one that has a lot of predefined dictionaries. Such tools have a wide variety of rules that regulate the breadth of potential data loss across GenAI apps such as source code, payments information, customer information, health information or any personal information. These can then be assigned to the various channels, such as web, email and apps such as ChatGPT to prevent data loss.
4.USB and mobile storage
There are plenty of circumstances where end users might see the value in copying information to a USB drive. They might be moving to another company, trying to share information, or even have just picked up a USB at a trade show. Here, it’s important that an organization can control the channels on devices, whether that’s USB, network sharing, or even file sharing applications, such as Dropbox, or Google Drive. While efficiency is certainly there to be gained, it can leave a gaping hole in the network, and hackers are enjoying plenty of success by targeting these tier 1 applications.
This is where a physical endpoint DLP tool can really show its value by implanting physical controls around DLP. By enabling control over common endpoint channels like USB, Network Shares, or Personal Storage, sensitive data can be secured from loss.
5.Protecting against malicious internal actors
While corporate espionage and external attacks where data is leaked or taken ransom is one side of the coin, what’s more common are instances where someone might be moving to a new job and attempting to take data with them. It could be CVs for job applications, marketing databases or even just documents that contain information around best practices and processes that they don’t want to lose. All the same, this is data that is being stolen.
To prevent this, security teams must be able to understand and flag suspicious internal behaviors that act as indicators and stop them. A User and Entity Behavior Analytics (UEBA) tool is an excellent means to track risky or abnormal user behaviors, as it will use AI to flag abnormal activity and inform the team. For instance, if a user is downloading a 6GB file at 3am and is not a typical practice of that employee then EUBA will inform the IT department that this incident requires further investigation. Having this early warning system gives the IT team greater forewarning or potential risks and allows them to cut them off before they turn into data losses, rather than having to mitigate the issues after the loss has already occurred.
How to scale up data loss prevention?
A complex security setup with a multitude of different point products that don’t work in harmony will end up causing plenty of organizations data loss issues in the long term if they don’t make a change. IT teams will consistently be hamstrung unless they alter their approach and find ways to simplify their data loss prevention tools and find a way to see all aspects of the organizational environment through one single pane of glass. Opting for a cloud security platform solution will enable organizations to easily inspect structured and unstructured data across all the channels, ultimately allowing them to bring greater security to their enterprise and reduce data loss.
Ad