How to Defend Against Today’s Security Risks
With all of the benefits of digital transformation come an endless stream of new opportunities for security threats. Data moves faster and farther than ever before, employees establish new digital processes, and applications are easier than ever to procure, creating a multitude of security risks you must prepare for.
The demand for BYOD is on the rise
Employees today demand flexibility in both where they work and which devices they use. BYOD is becoming standard and offers many benefits for both the user and their company, such as increased productivity and reduced hardware and networking costs. However, it comes at a price — rather, it comes with a threat.
In most modern companies, employees are no longer chained to their desks during the hours of 9-5. The work-life balance has shifted to integrating work with personal life. You’ve probably seen it in your own company. John in Accounting might join his daughter at school for lunch and then answer emails after she’s gone to bed. He is excellent at his job, and supports his family equally well.
In order to retain the best employees, companies have become understanding of the need for flexibility and choose to work with rather than against it. Since work often occurs during “after hours,” and personal life doesn’t stop during the typical business day, it’s no surprise that employees want to use their own devices throughout the day, rather than manage two separate ones. While BYOD may lower your hardware costs, it can present significant management and security challenges for IT.
What can you do?
You may be tempted to institute the most restrictive security policies your company will approve. However, this can have drastic consequences on productivity, morale and innovation. Instead, allow users to work safely within a framework you outline and manage.
Establishing rock solid mobile device management (MDM) and mobile application management (MAM) strategies is key to controlling the movement of data while allowing employees to work securely with the devices they choose. Microsoft Intune, part of Enterprise Mobility + Security, makes it easy to manage the mobile devices your employees use to do their jobs, ensures their devices and apps are compliant with your security requirements, and puts your team in control of how, when and where company data is accessed.
With Intune, your IT staff can automatically deploy required apps on users’ devices, as well as take remote actions, such as reset passcodes, lock devices, encrypt data, and even remove corporate data and apps if a device is lost or an employee leaves the company.
When device enrollment is not an option, Intune allows you to manage the apps that contain corporate data, keeping the user’s personal information separate while ensuring data security for your company. Suddenly a personal phone isn’t looking too different from a work phone, after all.
Shadow IT is a growing concern
Does it come as any sort of surprise to you that the average enterprise today has nearly 400 SaaS applications in use?* And this number is only growing as IT shifts to be a “broker of services” between business users and external software vendors. The addition of each application in your company requires more of your IT resources to manage, which reduces the time your team can dedicate to innovative, strategic projects. And don’t forget – we’re only talking about the SaaS apps that are on your radar.
Unsanctioned applications bring their own set of risks regarding compliance, security, and data loss (to name a few), not to mention the financial toll of paying for redundant software. And even the free apps come at a price. Without visibility into shadow IT, there’s no way to control and remove corporate data when an application is no longer in use or an employee leaves the company. Since working with each business unit every time they want to pilot and procure a new application isn’t the best use of IT resources, how do you go about taming the wild SaaS beast?
What can you do?
Work together with end users
First of all, make sure your employees understand and are aware of the corporate-approved applications that are already available to them. Consider maintaining a document that tracks approved applications, their purpose and functionalities, and which departments currently have access. Share this information with the broader organization and encourage users to check it before searching for a new app on their own. This transparency will help foster positive communication between IT and staff, and reduce your team’s burden of evaluating and procuring a redundant application.
Through ongoing training, end users will stay up to date on new programs and functionality available within Office 365, reducing the chance, for example, that a marketing manager will go rogue and buy their own project management software instead of using Planner.
Bonus: By tracking the usage of Office 365 programs, if an employee is campaigning for a third-party tool that overlaps with an Office 365 solution, you can validate whether they’ve done due diligence in testing the available tools prior to asking for a new one.
Keep tabs on your environment
One way to contend with SaaS proliferation in your company is by monitoring events on your firewall to prevent unauthorized access and breaches. However, this is resource-intensive and requires newer firewalls with Layer 7 filtering capabilities in order to be successful. Instead, consider deploying a cloud access security broker (CASB) such as Microsoft Cloud App Security, available through Enterprise Mobility + Security and as a standalone service.
By extending your security policies beyond your on-premises infrastructure, you maintain visibility, control and protection of data in cloud applications. With the ability to identify over 13,000 applications in use, you’ll be armed with advanced discovery tools to stamp out shadow IT. Microsoft Cloud App Security integrates deeply with Office 365 and provides you with advanced security management capabilities for those native applications. Additionally, it seamlessly integrates with other identity, security and access solutions, enabling a holistic, identity-driven approach to SaaS security.
Data protection gets more complicated
Every organization has data they consider sensitive and it becomes increasingly critical to get a handle on your data protection strategies as your company digitally transforms. Without clear insight into where your data is and who has access to it, you run the risk of data leaks and security breaches, not to mention inflated storage costs and poor data compliance (hello, GDPR!).
What can you do?
In addition to having a sound mobile device strategy for your employees, focus on establishing safeguards that utilize data classification, data loss prevention and conditional access policies. When used in conjunction, these technologies will help you identify sensitive data and apply protection automatically, while controlling the information flows using a DLP engine such as Azure Information Protection (AIP), part of EMS.
AIP allows you to stay in control of your sensitive data with the help of persistent classification and protection. These settings can be fully automatic and configured by IT, based on the source, context and content of both new and existing data. Sending classified product information to a potential partner? Add a watermark so it won’t get abused, and track how many times it’s been opened. Sharing a document internally that contains the credit card numbers of clients? Based on your security settings, it’s automatically classified as confidential and only available to authorized users who can view the file but not print, save, copy text or forward it to anyone else. In addition to the settings you specify, you can allow end users to apply classification to documents right within Office programs, setting limits on where it can travel and who can access it, all based on the metadata configured in the file.
Above: Create default labels for data classification that are easily understood by any user
But what if data manages to get out and into the wrong hands? No problem. With AIP, you can monitor and analyze activity of the data, revoking access to it if needed. You have visibility into every attempt that’s been made to open a file. Maybe you have an unhappy employee trying to leverage classified corporate information to get a job at a competitor. They forward some confidential data to their personal email and quit the next day. With AIP, you can shut off their access to that data remotely, ensuring it never gets into the wrong hands.
In 2016, InfoWatch registered over 1500 data leaks which compromised more than 3.1 billion personal data records. Compare this to 2008, when “only” 801 were recorded. While this is not inclusive of every leak around the world, this massive increase speaks to the growing trend in data loss.*
Does this seem like a lot to handle on your own? Fill out the form below to find out more about building a security practice built for digital transformation.