Taming the meanest fox in the cyber henhouse

Matt Howard, SVP & CMO Virtru explains why getting to grips with voluntary vulnerabilities is key to cybersecurity and data protection.

Posted 28 March 2023 by Christine Horton

A couple of years ago a council in the northeast of the country suffered a ransomware attack after an attachment on an email was downloaded onto a council laptop – it contained a virus and the subsequent ransom demand was for millions of pounds (not paid) but by then it was already too late: The council’s system was already devastated, despite it having been recently overhauled. 

This isn’t a unique occurrence. Organisations of all kinds are under constant threat from an array of computer viruses, malware and other forms of malicious attack – a few we will know about and safeguard against in advance, while others will be so far unknown. However, while a significant amount of data is exfiltrated, against our wishes, by bad actors exploiting known and unknown vulnerabilities, the vast majority is departing our possession intentionally. 

These are known as voluntary vulnerabilities. They are, by far, the meanest fox in the cyber henhouse — even though they appear friendly and benign. Indeed, with 330 billion emails sent worldwide per day, it’s easily the single greatest reason organisations lose possession of sensitive data, therefore posing a huge risk to both cyber security and data protection compliance. It’s sobering to know the average data breach cost US$4.35 million in 2022.

Voluntary data sharing represents a massive surface area of risk: This data can’t continue to flow out of our organisations without any protection. At the same time, we cannot restrict the flow of data to get our jobs done. There are, and always will be, good reasons to share sensitive data both internally and externally via email, file sharing, and SaaS applications. 

In this context, as information systems become more dispersed, mobile, and dynamic, it’s critical that council leaders and their IT departments think beyond conventional network-centric security measures and carefully consider just how much data is leaving our possession every single day, and for what purpose. 

Going forward, the most innovative local authority organisations will automatically classify and tag data so they can enforce downstream policies and embrace data-centric security at scale. With a data-centric approach, IT teams will be able to protect sensitive data regardless of what that information is, where it resides, or who it has been shared with. They can make smarter decisions based on the context of the data-sharing situation. Furthermore, end users will be able to share data easily while simultaneously satisfying security and regulatory requirements. 

When done right, citizen requests will get processed faster, thereby increasing efficiency and productivity. This will help overburdened employees and reduce costs for financially impacted councils. Employees can focus on value-adding work that utilises their expertise and knowledge, making their work more fulfilling and impactful. It can also increase the likelihood of retaining workers, because their digital workplace will empower them to succeed.

Too good to be true? It’s not.

Rather than stopping the flow of data as a means of securing it, you can provide your workforce with a way to easily share and innovate across applications and ecosystems, knowing you have full control over where it goes and who can access it.

Tech teams must prioritise implementing a multi-layered approach to security, allowing their organisations to embrace data protection, while, at the same time, ensuring employees are empowered to share data confidently and securely. This starts with implementing user-friendly tools that enable employees to protect the data they’re sharing. 

For too long, security and encryption products have neglected ease of use, which is a critical error: If you want employees to prioritise data security, you have to make it simple, and you have to ensure it doesn’t introduce hurdles into their daily workflow. Efficiency, speed, and innovation are table stakes for councils today, so security should support those objectives, not detract from them.

Look for solutions that are integrated natively within the tools your teams are already using every day, such as Gmail and Microsoft Outlook, so that users can easily encrypt emails and set access controls with just one or two clicks. In addition, look for solutions that allow recipients of shared data to easily verify their identity so they can access emails without the need for creating separate usernames or passwords.

Simply put, if you want your security tools to be used, you have to make them easy for everyone involved. 

Allow for human error

Human error is inevitable. People will always make occasional mistakes, which means a ‘safety net’ is needed for when employees don’t make the right decisions. Look for solutions that allow you to put data loss prevention (DLP) rules in place, which can automatically detect and encrypt certain types of sensitive data or warn users when potentially sensitive information is detected in an email. For example, an organisation could choose to always encrypt emails containing a bank account number, but in cases of an address or phone number being shared, they could issue a warning to the sender and allow them to make the final decision. That reminder can be a useful nudge to get employees to think about securing their data, so many administrators use it as an educational opportunity.

Data sensitivity is nuanced, and each situation may call for its own parameters for sharing data. Put the control into the hands of the end user, give them options for setting parameters around how their data can be used. Select solutions that provide the ability to revoke access to files or messages at any time. If a third-party vendor experiences a breach, or a certain file was inadvertently shared, or the user mistakenly hit “Reply All,” access can be immediately revoked, even if that file has already been viewed by the recipient. This gives the employee an opportunity to correct their own mistakes.

With tools like these, you can empower your teams to collaborate with confidence, rather than simply hoping that sensitive data doesn’t end up in the wrong hands.