The user is the new security perimeter: let’s put them at the heart of our strategy



As modern working practices continue to develop and evolve, so technology and the way in which we consume it is also constantly advancing. Today, organisations are doing a good job of locking down the sensitive information contained in structured systems and data centres using a variety of pretty robust security solutions.

This means it is getting harder for hackers to get to the data they want, and as a result, they are progressing their attack vectors and simply turning to the new weakest point: unstructured data. There has been a huge explosion in unstructured data (it currently counts for 80% of organisations’ data) and it is therefore easy pickings where the hackers are concerned – it has become their new ‘black’.

What do we mean when we talk about unstructured data? It’s the emails, PDFs, exported excel spreadsheets and other documents used for collaboration and cross-company sharing. Users interact with this data constantly to simply get their jobs done – creating new files, attaching documents to emails, and saving information across networks and devices. Plus, if you add to this the fact that there are new ways of delivering technology, especially as organisations expand into the cloud and it becomes more mainstream, you can start to appreciate just how difficult it is for organisations to effectively manage, store and share all this unstructured data securely.

Human error accounts for over a quarter of all data breaches

Put simply, data breaches keep happening at an unprecedented rate. And they are getting costlier every year. In addition to hackers, the threat from human error accounts for more than a quarter (27%) of all data breaches (according to the latest research from the Ponemon Institute 2018 Cost of a Data Breach Study).

Users act autonomously, are inherently unpredictable and often make mistakes. The accidental email send, i.e. emails that are sent to the wrong person, accounts for a large proportion of data breaches. This can be a result of mis-typing or auto-complete of an email address, a mistake when sending to a distribution list, or simply using the wrong attachment. For example last year, a UK City Council admitted to accidently attaching an internal spreadsheet to emails inviting adoptive parents to the council’s annual adoption summer party. This attachment contained personal details relating to 2,743 individuals, including adopted children.

By taking a user-centric approach to data security, organisations can build a safety net for users’ behaviour to prevent accidental, as well as malicious, data breaches. It comes as little surprise that most data breaches caused by human error happen when handling unstructured data, so it’s crucial to understand how users interact with and share unstructured data. Comprehensive data analytics can help security administrators establish a baseline of normal behaviours and therefore provide the ability to spot anomalies.

Putting the user at the heart of data security

This is why it is so important to put the user at the heart of data security, because with our ever-changing systems, users are now the only constant across all information systems and technology. It therefore it makes absolute sense that a comprehensive data security strategy needs to surround the user, and this means providing them with simple and easy-to-use tools so that they can protect sensitive information.

Think about it: buying a house is an investment decision that is made with a 20-year horizon in mind. While buying a car, we typically accommodate lifestyle changes and plans for the next five years. So why shouldn’t an organisation apply the same rigour when it comes to investing its often-scarce security budget? If the user is the only constant over the next few years, shouldn’t security and risk management investments be focused as close to the user as possible? This includes solutions that not only help an organisation discover and classify user-generated sensitive data but also prevent the accidental send of sensitive information and enable the secure sharing and collaboration of information for legitimate business purposes, whilst providing organisations with detailed reports and analytics to understand the risk of sensitive data leakage by users.

Here at Egress we have a user-centric platform that at its very core cocoons the user with privacy and risk management tools, enabling them to securely share and store unstructured data. Additionally, we use machine learning to help detect threats and provide a wide-range of insights into behavioural patterns to identify anomalies across the organisation. So, for example, if you take the mistyping of email addresses and accidental sends, our platform detects and alerts even on Cc and Bcc recipients that may not belong in a certain message. It also alerts on anomalous behaviour including email volume, attachment sizes, webmail addresses, etc, and automatically adjusts ‘sensitivity’ based on someone’s role.

A case in point

To bring this to life, here are some examples of what we have done for our customers:

The largest global healthcare provider and one of the UK ‘Big Four’ banks use our solutions to protect their client data enabling them to communicate and share sensitive data securely every day.

A police force in the UK uses our products to enable members of the public to submit video and photographic evidence of driving offences that they may have witnessed. This has directly resulted in fostering a safer driving environment that has saved hundreds of lives. A charity uses our email protection platform to securely communicate with victims of abusive relationships, thus empowering them to seek help and safely extract themselves from life-threatening situations.

These are just a few examples out of hundreds of examples where we are empowering users to protect data while still getting their jobs done. I firmly believe that having a user-centric approach helps individuals avoid potential mistakes, such as the accidental send, and provides security administrators with insight into behavioural anomalies across the business. In other words, it protects both the user and the organisation from that dreaded data breach!

Written by Sudeep Venkatesh, CPO, Egress Software Technologies.