This summer we've seen a number of high profile data breaches, from the IRS leaking 100,000 Social Security numbers to Japan's government accidentally sharing internal emails with the public through Google Groups. These data breaches are examples of a security issue that organizations must start paying closer attention to: human error.
According to Ponemon's 2013 Data Breach Report, human or system error is still the cause of almost 66 percent of data breaches. The Identity Theft Resource Center (ITRC) has reported 212 disclosed breaches so far in 2013, which have collectively exposed more than 4.5 million personal records. This means that human error is causing countless peoples' medical information, Social Security numbers, credit cards and other sensitive data to fall into the wrong hands.
Even though most organizations have governance and compliance strategies in place that dictate proper usage, compliance policies only get you so far. Compliance by itself is not actually sticky – the trick is in balancing compliance monitoring with the appropriate security measures. This is especially important for organizations using content management systems like SharePoint and file shares where vast amounts of sensitive data reside, giving potentially everyone in the organization access if not secured properly.
This six-step process can help organizations safeguard against compliance violations and properly secure sensitive content without impacting CMS collaboration benefits:
1. Identify red flag risks. Bring together stakeholders such as senior management, heads of communications, human resources and business units to provide assessment of risks and suggest policies required for the organization. Cover general, country- and industry-specific regulations to keep confidential information safe.
2. Establish the compliance strategy. Determine what areas of risk to address and align this with the business strategy. Use stakeholder knowledge to define the compliance strategy for the organization against the business strategy.
3. Design policies and deploy. Based on the compliance strategy, use an automated solution to define and automate policies. Assign policy officers, use appropriate actions for non-compliant content, and establish access restriction rules and workflows to support notifications. Scan content at rest or in motion while tagging content based on these policies to automatically detect, correct, prevent and mitigate risk.
4. Automate content compliance. Integrate content compliance into user activities to automatically review content as it's created. Actions should be taken to flag violations found, as well as automatically classify content in accordance with predefined policy rules. Notifications should also be sent to the appropriate stakeholders to assess violations and suggest additional policies or actions.
5. Secure content. For content management systems like SharePoint, out-of the-box folder-level security is not as effective as item-level classification, which goes with a document as it's shared. Look to secure content based on the presence of customer or confidential company information and automatically restrict access to, encrypt and track documents, as well as prevent distribution by unauthorized users.
6. Report, remediate and refine. One of the most important aspects of managing compliance and security risk is the ability to audit and report on the organizations' compliance and security status. You should also track and monitor the movement of confidential and sensitive documents, including who views, prints and emails documents. This will help to measure progress against goals over time and provide an audit trail for regulators if required.
At the end of the day, organizations must offer their employees a safe way to collaborate, especially when that collaboration involves sharing sensitive data. Detailed reporting also allows policy managers to modify policy and rules based on user interaction and compliance trends.
To complicate compliance matters, employees regularly bring their own personal mobile devices into the workplace and traveling employees have made their handhelds and tablets their de-facto choice, it's inevitable that content will appear on iPads and other mobile devices. No matter the access point for enterprise content, it must remain secure and accessible only to authorized personnel. To effectively mitigate mobile risk, organizations should employ the same content security capabilities, and ideally leverage the same content policies and rules in mobile environments.
The bottom line is you need to protect your organization, while still allowing for open collaboration between the right audiences. Consider an end-to-end automated compliance and security program for traditional and mobile environments to remove some of the vulnerabilities and human diligence required to maintain content security. Just as love and marriage go hand in hand, your compliance and security strategy should as well.