Over the last couple of decades, InfoSec professionals have become incredibly good at protecting the perimeter of traditional networks. They’ve built towering walls of fire, alarmed every conceivable point of entry, and triple-locked every window and door to ensure that no unwelcome visitors can let themselves in.
Then everything changed
Suddenly, the world began working remotely. Data shifted from well-protected physical systems kept safely within the perimeter, to cloud services provided from far-flung data centres. And the race for greater device and application flexibility saw data protection concerns take a back seat to rising employee demands.
According to data from the UK Information Commissioner’s Office (ICO), 90% of all data breaches in 2019 were caused by human error. And with more people working remotely than ever before as a result of the Coronavirus pandemic, that number is set to increase further.
The threat landscape as we knew it still exists. But today, with data spread widely outside the network, would-be data thieves don’t need to waste their time trying to pick your carefully crafted locks – they can simply sit back and wait for an unwitting employee to drop their keys.
Our ‘new normal’ demands new approaches to data protection and cybersecurity. But how can you effectively safeguard data everywhere, when your perimeter can theoretically extend to anywhere?
Understanding your biggest vulnerability: humans
The first step towards better safeguarding data is to understand exactly how it falls into the wrong hands today. Invariably, that almost always involves some degree of human error.
There are an almost limitless number of ways that human error can both, directly and indirectly, lead to data theft or loss:
- Employee-owned devices can be compromised by malware, or be physically stolen
- Employees that use the same login credentials for personal and professional accounts can unwittingly hand over the keys to critical cloud systems and tools
- People can be easily convinced by today’s increasingly sophisticated phishing emails, messages, and web pages
- With the home becoming the workplace for millions, anyone can effectively wander into your office when a device is unattended
- Teams can go rogue and use unapproved file sharing and collaboration tools that make their lives easier but put your data at risk
The list goes on and on. Far from the sophisticated perimeter protection challenges that InfoSec teams have evolved to tackle, these are a whole new breed of vulnerability – all deceptively simple, yet incredibly hard to prevent in any meaningful way.
Training alone isn’t the answer – and it never has been
Because human error is a ‘people’ problem, those looking to tackle the kinds of human-based vulnerabilities outlined above have gravitated towards people-centric solutions. You don’t need to search the internet for long before you’ll find countless commentators proclaiming that better training is the answer to these issues.
Don’t get me wrong, training is a great place to start. If you can educate people on the various ways that their actions can expose sensitive data to risk, you reduce the chance of those kinds of events happening – a clear win for everyone.
The trouble is, a person’s vigilance against the cyber threats swirling around them isn’t binary. No matter how well you educate your team, some things are always going to fall through the cracks. There will always be scenarios and events where training is forgotten, something slips, and data ends up somewhere it shouldn’t be.
So, what can you do?
Accept that human error simply can’t be prevented 100% of the time. Then, work on coming to terms with the fact that some data loss is practically guaranteed today.
It flies in the face of everything you've worked for over the years. But accepting that is an essential step towards changing your thinking around data protection, and safeguarding your business in the most effective ways possible.
Once you accept that data loss will happen, you can refocus your attention where you can make the biggest difference today – detecting that loss quickly, before any serious damage can be done.
New tools and capabilities will have a huge role to play in that. Take Dark Web monitoring for example. When your data leaks through human error, you might not even know about it until it’s far too late. It’s not going to hit headlines immediately – but it is going to start popping up either for sale or sharing on the Dark Web. When it does, you need to be there to know about it and act right away.
Why we believe in Digital Risk Protection
At Skurio, we made our peace with the fact that data breaches were becoming inevitable long ago. Since then, we’ve focused our efforts on creating services and solutions that can help organisations react as quickly and appropriately as possible when they do.