Traditional security is built around keeping content and data within the walls of your network. Accessing this data required walking into an office and sticking your ID card in to gain entry (or the virtual equivalent).
The COVID experience has opened our eyes to the fact that users are working with content and data in a 24/7 environment and not always within the organization’s walls. Employees now access files on their personal devices. The number of potential access points to organizational intellectual property (IP) has exploded. With the level of collaboration in today’s business workflows and the risk of sensitive content being used outside of your firewalls, organizations need a way to protect sensitive data at the file level. The process needs to be simple enough that users won’t look for workarounds.
Modern manufacturers are solving this issue with an approach based on multi-factor authentication (MFA) paired with attribute-based access controls. This is the virtual form of walking into an office and sticking your ID card in. In this post I’ll describe the nature of data breaches, explore what they mean for your organization, and introduce how this innovative approach allows end-to-end protection of data wherever it lives.
The Nature of Data Breaches
Many of the most well-known data breaches have involved cyber theft, such as triple extortion attacks also known as doxware attacks. Malicious breaches from outside attackers are a costly type of vulnerability, but incidental breaches involving internal teams or subcontractors can be a more practical threat, whether deliberate or not.
Since employees have day-to-day access to content, and frequently download IP to home computers or access it on the road, they can inadvertently expose it to leakage. You also want a way to protect content both during and after project completion when you’re dealing with contractors, whether it be just communication or having a subcontractor read and make edits to a document.
-For SMBs or SMEs, 70% of employees who leave the company bring content (your IP) with them, either accidentally or intentionally.
-50% of SMBs or SMEs that suffer a cyber attack are out of business within six months.
Let’s consider three common ways business-critical data can become exposed to breaches:
- Downloading to Personal Device: An employee needs to access a large file at home, but it’s too large to download on their home WiFi. The employee downloads it onto their laptop and brings it home, then keeps it on their computer after they no longer need to use it.
- Sending Sensitive Content for Preview to Subcontractors and Potential Clients: An employee writes a CAD diagram as part of a proposal, then sends it out to subcontractors. That’s critical IP, but you no longer have control over it once it leaves your organization. You are relying on a piece of paper (NDA) to protect your company.
- Employee Offboarding: An employee stores your organization’s business files on their devices, then leaves the organization. In 70+% of the cases they are taking your content to use at their new organization or publish without your knowledge.
Each of these vulnerabilities happens through the course of normal workflows, so it’s critical to secure data in a way that’s comprehensive and fits in with how users access files.
The Ramifications of Data Breaches
Data breaches have numerous consequences, ranging from the direct cost of paying a ransom, to indirect loss of income due to reputation damage, to class-action lawsuits.
One emerging way to protect your organization’s exposure to these costs is cyber insurance. This is still a relatively new field, so the insurance companies don’t really know the total ramification of a cyber attack, or what those premiums look like. For organizations like an MSSP, insurance is critical, but you have to be able to demonstrate you have the tools and capability to adopt protective measures around data.
Building a comprehensive security plan for protecting data is a tight line. There’s a need to balance between security controls and workflow. If your security plan is too painful or difficult for users to execute, they’ll find workarounds.
The challenge we have in today’s business world is because we’re all electronic, we have the ability to take content from a very secure portal and download it to something like a desktop. The data no longer has that security. There’s also a need to allow collaboration while staying in control of the document.
Larger organizations typically have the staff and capability to put this in place. Organizations in the SMB and SME space don’t have 24/7 manual monitoring of this, so they need the ability to build in access control to ensure if your critical data is somehow compromised, whether by accident or malicious intent, that you’re not compromised as an organization.
Solution: Multi Factor Authentication + Attribute-Based Access Control
A next-generation security model has emerged that solves the security-convenience conundrum by building security with the data itself on an end-to-end model. This approach uses a combination of multi factor authentication implementation and attribute-based access control to ensure users can use documents how they want, but the content still remains in your control.
There are three typical forms of multi factor authentication people use today:
- Knowledge-based: This asks for something the user knows, which could be your high school, your dog’s name, your unique email address. The challenge is somebody can still have that information and use it.
- Possession-based: Something that a user has, such as a one-time password, or a number that comes to you and you have to input it in so many seconds to open the file.
- Inherence: Something that’s so unique that no one else has it, like a fingerprint.
Each of these forms grants access based on parameters so that users can have access when they need it. These access management solutions protect against both accidental and malicious breaches by tying the authentication into the form of access, which could be read access, edit access, or temporary access.
This means an authorized user can use a piece of content in any way they want, but if they start working outside the boundaries of use, or are no longer an employee of good standing, you can manage that document and revoke access.
Let’s take a look at how this approach addresses each of the vulnerabilities we mentioned:
- Vulnerability Example 1: The employee downloads the large file onto their laptop and brings it home, but access to the file is protected with multi-factor authentication + document control. Once the employee no longer requires access, it’s cut off.
- Vulnerability Example 2: The employee sends a CAD diagram out to subcontractors, but it’s protected by MFA plus attribute-based access control, which allows the subcontractor to read it or possibly edit it, but at the end of the project you can make sure they don’t have a single copy left over and pull it back.
- Vulnerability Example 3: An employee leaves the organization with business files on their devices. These files are protected with multi-factor authentication + attribute-based access control so your IT administration can flip a switch when they leave and ensure they will no longer have access to content that they may have saved to their desktop or USB drive.
The Final Word
Access management solutions not only help with the 24/7 daily use case of protecting content and knowing it’s in your control. They also can be your preventer against a doxware or triple extortion attack. Multi-factor authentication + document control can be done relatively inexpensively, yet is a powerful preventative tool.
Here are a few other things you can do to help improve your security stance:
If you’re in a state that is putting “safe harbor” legislation forward, understand and support the legislation.
By deploying NIST SB800-171 controls (at a minimum) you can potentially avoid class action negligence claim lawsuits due to cyberattacks.
Consider the training of your employees. How many employees, for example, understand that 95% of attacks come in through email?
A last area is to simulate attacks. Simulate if you can get the data out. Simulate how easy it is to take a piece of content, move it onto your desktop, and get it out of your organization. The cyber criminal already understands your vulnerabilities, and you’ll also understand them.
Anchor’s multi-factor attribute-based access control is an end-to-end solution that gives an employee-friendly way for organizations to bring security into their CAD and IP workflows. Read more about how Anchor protects sensitive and confidential data across devices, allowing you to focus on what you do best.