How secure is your data, really?

By Kunle Awosika

More than 554 million data records were stolen during the first half of 2016, a 31% increase from the previous six months – and that was just from the enterprises that reported their breaches. Unfortunately, many organisations that experienced a breach during that time either did not know they had been targeted or failed to disclose the attack to regulators and the public.

This suggests that the statistic of 35 records being compromised every second is quite conservative and that the damage could be far greater than anticipated.

Raising data privacy awareness

Every year, on 28 January, the world recognises Data Privacy Day, which aims to raise awareness and promote privacy and data protection best practices. Under the theme of respecting privacy, safeguarding data and enabling trust, stakeholders use the day to encourage enterprises to comply with privacy laws and regulations.They also urge the public to consider how much of their personal information is freely available and how much access they grant to things like social media platforms and smartphone applications.

But is it enough to only have these conversations once a year, especially when identity theft was the most prevalent type of breach in the first half of 2016?

In a mobile-first, cloud-first world, data protection is a complex problem for enterprises because data no longer only resides within the network perimeter. An increase in employee-owned devices in the workplace brings an increased risk of data leakage through apps and services like email, social media and public cloud – all of which are outside of the organisation’s control.

Added to this challenge is the tendency of end-users to become less and less security conscious, the more hyper-connected the world becomes.

Privacy versus convenience

There’s no doubt that the Internet of Things and the requisite data collection and analytics makes our lives easier and enables us to be more productive.However, this is potentially at the expense of our privacy – and yet we seem fine with it.

We blindly accept permissions when installing new apps on our smartphones, without questioning why, for example, a gaming application requires access to the phone’s camera and microphone. We accept the terms and conditions of social media usage without understanding what permissions we’re signing over. When we’re that nonchalant about our personal information, would we behave any differently when handling business information? Not likely.

The problem is that employees use these same devices to share and access business information. In fact, 87% of senior managers admit to regularly uploading work files to a personal email or cloud account and 58% have accidentally sent sensitive information to the wrong person. When security is not your employees’ primary concern, the onus falls on the organisation to ensure that data is protected at the source.

Privacy, collaboration and the employee experience

Effective collaboration within enterprises means that you need to be able to share information with colleagues and allow for mobility. Staff increasingly demand the ability to be able to work from anywhere and on any device.

When information travels beyond the boundaries of the corporate network and across devices and removable storage outside of the company’s control, it becomes even more crucial to have solutions in place that prevent data loss.

But simply controlling who has access to corporate information does not guarantee that the data will remain within the enterprise. It’s still too easy to copy data onto removable storage devices or to paste it into a shadow IT application. Data loss prevention systems and information rights management systems are also flawed.

At Microsoft, we build our information protection solutions around three key security pillars: identity protection, threat resistance and information protection. The latter focuses on: 1) Device protection, 2) Data separation (personal and business), 3) Leak protection and 4) Sharing protection.

We handle device protection using BitLocker, which protects data when a device is lost or stolen.

Everything else is covered by solutions like Windows Information Protection (WIP)and Azure Information Protection (AIP), which helps enterprises protect their data as it moves between servers and devices, and Windows Defender Advanced Threat Protection (ATP), which helps enterprise customers to detect, investigate and respond to advanced and targeted attacks on their networks and provides a post-breach layer of protection.

A major focus of these solutions is that they can be implemented without interfering with the employee experience. Employees will only tolerate so much inconvenience before looking for ways to get around security restrictions and using shadow IT to share and access information.

WIP and AIP help protect enterprise apps and data against accidental leaks on enterprise-owned and personal devices without requiring changes to the environment and other apps, while ATP helps detect threats that have made it past other defences, provides enterprises with information to investigate the breach across endpoints, and offers response recommendations. They work alongside Azure Rights Management to extend data protection for data that leaves the device.

In our hyper connected world, it’s important to find a balance between the convenience of constantly being connected, and the value of privacy and having control of our data.

(The author, Kunle Awosika, is Microsoft Kenya’s Country Manager, a position he has held since July 2013. Kunle has worked in various capacities at Microsoft in a career panning over 15 years).