Sponsored Giving employees fast, convenient access to mission critical data from wherever they happen to be, and from whatever device they are using, is a fundamental principle of digital transformation, which in most cases cannot be compromised. And the parallel, explosive growth in the use of online content sharing and collaboration services by teams within and between companies has been sufficiently pronounced for Gartner to declare the enterprise content management (ECM) market “dead (kaput, finite and ex market name)”.
In its place, Gartner analyst Michael Woodbridge has predicted, ECM would be displaced by “content services” that use multiple on- and off-premises repositories to store and manage information and to improve productivity by allowing employees to access data and applications from any device and any physical location.
Naturally, doing this over different types of network (Wi-Fi, broadband, leased line, cellular and so on) can pose a risk to data security. And while the cloud hosting infrastructure and web platforms used by online sharing services are not inherently more or less secure than on-premises equivalents, they do pose a unique set of problems. Many IT and security professionals, therefore, remain uncomfortable about having little or no control over the information being stored and processed in these services beyond the protective limits and reach of their own firewalls and security management tools.
The biggest fear in having complex data security settings decided by a third-party hosting provider is that sensitive information will not be afforded the same level of protection or priority, or stored in compliance with increasingly strict privacy laws. Falling foul of the 2018 UK Data Protection Act (DPA), the European Union's General Data Protection Regulation (GDPR) for example, and/or state legislation in the US such as the NYDFS Cybersecurity Regulation (23 NYCRR 500) and the California Consumer Privacy Act risks potentially crippling financial penalties and considerable reputational damage should breaches occur.
A poll of almost 1,400 IT and security professionals by the Ponemon Institute here found that many accidental data breaches are caused by employees accidentally exposing sensitive data via file sharing and collaboration tools. It found 63 per cent believe it is likely their employers suffered data breaches in the last two years because of unsecured file sharing and content collaboration processes, with only 39 per cent rating their ability to keep sensitive content secure in the file sharing and collaboration environment as “high”.
The human factor
Being aware of the security risks file and content sharing and collaboration services pose goes a long way towards helping IT and end users protect themselves.
Hackers are known to attack file-sharing applications by infecting files with malware, then getting users to install those infected files in their systems. Some file sharing applications also open ports on company firewalls that can be exploited, while brute force attacks and packet sniffing can be used to compromise files being transferred via unprotected WAN links.
Hackers also routinely use file-sharing services to launch attacks with credentials stolen from email accounts they have already compromised, sending shared links to colleagues within the same organisation to escalate the attack. Links to shared files can also be easily intercepted if those links are accidentally typed into browser search boxes, or when users click on embedded links within documents. Indeed, a fair proportion of the security breaches associated with cloud-based file hosting and sharing can be attributed to either human error, misconfiguration or lack of awareness about the processes required to restrict access to authorized personnel and guard against data leakage.
There are many protective and preventative measures that IT departments and end users can take or encourage to minimize the threat presented by online content and collaboration services, ranging from better user education and awareness to efficient cyber security maintenance and tighter integration with existing defenses, auditing tools and contact directories.
User education is one of the most effective data security tools available. Warning employees not to download files from untrusted sources will go a long way to stopping infected files reaching company systems while setting out clear organisational policies defining what type of information can be uploaded to shared folders will help ensure sensitive data is not put at risk in the first place.
Suppliers like Box also supplement their content sharing and collaboration products and services with education and consulting expertise that draws on previously successful enterprise implementations to offer best practice advice on everything from governance and third-party platform integrations to content migration and user enablement.
IT departments also need to make sure that account holders set default access levels for colleagues that content is to be shared rather than leaving links accessible open to the public.
Box recommends that administrators configure shared link default access only to “People in your company” so as to reduce accidental creation of public links, for example, and to regularly run a shared link report to find and manage those public links. The company also advises that users do not create public custom shared links to content that is not meant to be accessed by unauthorized users. Remembering to disable access to previously shared links will also help.
Effective education is likely to nudge the majority of end users into acting responsibly with sensitive data and applying appropriate safeguards, but security is only ever as good as its weakest link. Ideally IT departments need to have the sort of detailed visibility into how and where content is being accessed, transmitted and stored that allows them to proactively stop problems arising before they have a chance to compromise the organisation. That cyber security monitoring should extend to every device that workers use to access shared content – desktops, laptops, smartphones, and tablets – as well as the on- and off-premises hosting platforms they use to store information.
A little extra protection
Choosing a content-sharing and collaboration service that encrypts data in storage and transit can minimize the risk of files being intercepted. Providers do not always offer this as standard, and different forms of encryption are often available in premium services that provide additional layers of network security for a fee. HTTPS-encrypted connections to a service's website and backend are an absolute minimum these days, of course, and should be provided as standard.
Enterprise or business-focused versions of content-sharing services usually come with tighter controls that prevent users from sharing links publicly and enforce restrictions on who is allowed to access and shared stored data.
That can include identity access management or single sign-on tools, as well as solutions like Box and Okta that tightly integrate with best-of-breed security solutions already in use. These enable users to securely log in from any device and better guard against credential theft, for example, as well as providing strong password management features, and two-factor authentication. Integration with Active Directory frameworks or Outlook mail servers, too, can help to control the sharing of content and links with authorized colleagues and business partners.
And when it comes to addressing compliance and data loss prevention, apprehensive IT managers should consider content sharing and collaboration platforms that provide audit logs which keep track of which users accessed, edited and transferred what files, when and where to aid investigations, reporting or e-discovery requests. Europe's GDPR, for example, empowers EU citizens to find out what personal data is held about them by organisations that fall under the regulation, why it is being held, and who it is being shared with, with a one-month timescale for acknowledgement of receipt and response.
Some industry specific regulations have even stricter audit requirements. The Payment Card Industry Data Security Standard (PCI DSS) which governs the financial services sector demands annual on-site reviews and quarterly network scans for companies handling large numbers of transactions, for example. Organisations can be penalized for failing to implement access controls that limit which employees have access to valuable data, keep detailed network activity logs, or apply inconsistent encryption as data flows from one system or location to another.
Knowing which specific region of the world (or the individual country) data is being stored in will also go a long way to making sure IT departments stay on the right side of local privacy laws which sometimes demand data never leaves their borders. Certain US federal agencies require that data under their control is stored exclusively within the United States for example, while the GDPR too restricts companies from transferring personal data that originated in the EU to any country without adequate data protection legislation.
The price of collaboration is eternal vigilance
No single organisation can ever be fully protected against the constantly expanding cyber security threats arrayed against it. Most submit that the only viable approach is to minimize the chance of a systems breach and data loss through careful security implementation and management across every endpoint, network connection, and information repository.
That vigilance should extend equally to online content sharing and collaboration as it does to on-premises databases and hosting architecture if organisations are to reap the productivity rewards of having fast, easy access to data from any device.
Just don’t go so far that collaboration suffers. According to Ponemon, even security pros recognize the value to their employers of collaboration: 60 per cent see the inability to enable the free flow and sharing of information as a barrier to their organisations achieving their digital transformation goals. There is, then, a recognition that – imperfect though their defenses may be – collaboration is necessary and that they must simply find a way to manage it. Fortunately, they – and you – have options.
Sponsored by Box.