Now more than ever, security, IT, and compliance leaders are leaning on each other for support in navigating new challenges around remote-working. And, why wouldn’t they?
While some organizations have operated virtually for months and even years before the outbreak of COVID-19, others had never operated a remote workforce. That means they’ve had to – very quickly – equip their teams with new devices and tools, implement new policies and procedures, and update security stacks. Of course, they’re doing all of this while trying to maintain “business as usual” which means trying to monitor and prevent data loss company-wide.
That’s exactly why we’ve been hosting virtual events: to pool the wisdom of experienced security and IT leaders and share back with the broader community While you can access our library of webinars here (and register for our next virtual event here), we’ve compiled key takeaways below from our most recent webinar: How to Stop Data Loss Across 1 Million New Offices.
Here’s the actionable advice from Mark Settle, the former CIO of Okta and Karl Knowles, the Global Head of Cyber at HFW.
“Email is the central nervous system of almost every company. You really can’t escape it.”
1. Prioritize email
Even with collaboration tools like Slack, email is still King. Or, as Mark put it “email is the central nervous system of almost every company. You really can’t escape it”.
Over 124 billion emails are sent and received everyday and employees spend 40% of their time on email. And, when you consider what’s being sent back and forth in emails (spreadsheets, invoices, client information, and other structured and unstructured data) it’s no wonder IT and security leaders consider it the number one threat vector for data loss.
Whether it’s a disgruntled employee purposely exfiltrating data or a negligent employee who accidentally sends sensitive information to the wrong person, email is a leaky pipe.
Interested in learning more about how data is lost on email? Read this blog: A Complete Overview of DLP on Email.
2. Clearly communicate what constitutes “data loss”
It’s employees who have to take on the role of protecting a company’s most important asset: data. But, unfortunately, many are blissfully unaware of what’s actually considered a data loss incident.
It’s not their fault.
It’s up to IT leaders – especially now as employees are adjusting to their new work environments – to really communicate what data is sensitive and how that data must be handled.
While those working in Healthcare or Financial Services may be well-versed in what data can and can’t be stored and shared, because of industry-specific compliance standards, the “average” professional may not be.
For example: if you don’t tell employees that sending company data to their personal email accounts is considered unauthorized and could lead to a data breach, they’ll never know that they shouldn’t do it. Likewise, many employees don’t realize that sending an email to the wrong person could be classified as a data loss incident.
3. Don’t blame employees, empower them
As we’ve said, employees are the gatekeepers of a company’s most sensitive systems and data. But, many aren’t familiar with security best practices or the implications of a breach. And, beyond that, many simply don’t have the necessary tools to work securely. It’s up to IT and security leaders to empower them to do so.
How? According to Karl, it comes down to training and technology.
“We have to give our employees the correct technologies to really enable them to share data securely with both clients, prospective customers, and each other. It’s up to IT and security teams to make that happen. The moment we don’t do that - when we don’t train them or give them a solution - will be the moment they find workarounds, and we run the risk of losing data.”
4. Re-think security awareness training
Earlier this year at the world’s first Human Layer Security Summit, Mark Logsdon, Head of Cyber Assurance & Oversight at Prudential, explained there are three fundamental problems with training:
- It’s boring
- It’s often irrelevant
- It’s expensive
Karl Knowles and Mark Settle shared many of these sentiments.
The bottom line is: In order for training to be effective, it has to really resonate. And, for it to really resonate, employees have to understand the who, what, and why behind security policies and procedures.
They recommend using different methods and mediums to communicate risks and preventative strategies and – perhaps most importantly – ensure you aren’t overloading them. That means breaking complex subjects down into more manageable pieces and translating technical jargon and concepts into language that’s easier to understand.
Top Tip from Karl: Nominate Cyber Champions as a way to gamify training and encourage a positive security culture.
5. Know the limitations of rule-based DLP solutions and invest in technology that proactively adapts
DLP isn’t just a challenge now that workforces are remote. It’s been a consistent pain point for IT and security teams for a long time and for several reasons. One of the biggest problems around DLP is that rule-based solutions aren’t adaptive.
Not only are they admin-intensive to set-up, but they’re virtually impossible to maintain. You can read more about The Drawbacks of Traditional DLP on Email on our blog.
Learn more about Why DLP is Failing in Tessian’s latest report: The State of Data Loss Prevention 2020.
That’s why Karl and Mark recommend investing in technology that’s fast and evolving. The technology is machine learning.
Tessian’s DLP solutions (Tessian Enforcer and Tessian Guardian) are powered by machine learning which is why Karl – a customer – considered Tessian an extension of his cyber team.
“Tessian is the gatekeeper for me. It stands there and checks emails for sensitive information and does this 24/7. And - importantly - it does this without ever getting tired of checking like a person naturally would.”
Interested in learning more about how Tessian can help you detect and prevent data loss wherever your employees are working? Book a demo. And, for more advice, keep up with our blog, LinkedIn, and Twitter for guides, industry news, and events.