With privacy breaches and security threats making the nightly news around the world, it’s becoming increasingly obvious to most enterprise organizations that personal information and the sensitive data that companies hold is an extremely valuable currency. Companies like Google and Facebook have become multi-billion dollar organizations by offering “free” services simply by being able to attract their users to “share” this kind of information so that the companies can then use this data to learn about their users and “share” this information with their paying sponsors and advertisers.
However, whether by accident or breach, inappropriate disclosure of sensitive data can have dramatic financial impacts on an organization and can erode consumer trust. Companies may be subject not only to regulatory fines, censure, and potential civil and criminal liability, but may also end up with government auditors reviewing their practices for decades into the future.
At the same time, many organizations have moved “fast forward” into the cloud. Moving your information to the cloud DOES have many security benefits, but you are still responsible for understanding and protecting the content within it! In order to mitigate this risk, companies must implement a program that allows them to continuously make information available to the people that should have it and to protect it from the people who should not. Here are three important steps in that process:
1. What sensitive data do you have and where is it?
Every company has sensitive information. Whether personally identifiable information, health information, financial data, contract information, research and trade secrets, or intellectual property data (and this list could go on and on), this information must be identified and protected. So how does a CISO prioritize and reconsider their data protection and information security program in the context of a global organization and rapidly evaporating perimeters, employees accessing data from everywhere, and business owners focused on the misguided conception that “more is always better” when it comes to data and that security blocks productivity in a data driven economy?
AvePoint Compliance Guardian empowers you to discover, tag, classify, move, and protect sensitive data in Office 365. Better yet, it can assist in the application of Office 365 labels for further control of that data. It has the ability to conduct a detailed forensic analysis into data privacy, information security, and accessibility issues across your organization, as well as the power to assign accountability for incident resolution to improve compliance over time. Compliance Guardian’s “data-aware” security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense.
2. Who has access to secure data in Microsoft 365?
Companies must continually assess and review who (inside and outside of their organization) needs access to what types of information, and should work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to access data responsibly.
Limited and appropriate access is always critically important. If rights are set too broadly or the external sharing/guest access configuration is not granular enough to support differential business needs, it can cause individuals to have access to data they should not be able to access, creating an over-sharing situation.
AvePoint Policies and Insights (PI) takes advantage of the work that Microsoft is already doing to index your data, and then allows you to find, prioritize, fix, and enforce Microsoft 365 access controls. PI aggregates sensitivity and activity data across your tenant, so your critical issues are prioritized for action. You can then edit in bulk and set policies to be enforced automatically. Securing collaboration in Teams, Groups, Sites, and OneDrive has never been easier.
3. Who has accessed that secure data and when?
In order to maintain a strong security posture, organizations must know when anyone (internal or external) have gained access to data that they shouldn’t have. AvePoint Policies and Insights will allow you to add, edit, expire, or remove permissions for entire workspaces or individual documents with sensitive information. You can update permissions in a batch directly from object- or user-based security reports and ensure user actions will not violate content and security rules by automatically reverting out of policy changes in Microsoft 365.
Simply put, understanding the difference between what can be shared and what should be shared is always the key. With AvePoint’s secure collaboration products and Microsoft 365’s native collaboration tools, you can collaborate with the confidence that your business information is secure.
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities.
Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School.
LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en
Twitter: http://www.twitter.com/danalouise