Whether it's your Marketing, Sales, or Finance team, employees are always trying to get work done as quickly as possible.
This many times leads to cutting corners and not thinking about the bigger picture. Training employees can only go so far when it comes to practicing good data security hygiene. In this article, we will cover 5 ways employees are moving data and how each of them can be to the detriment of data security and compliance.
1. Email
Think about how much data moves through your email servers every day. Finance is receiving W-9s and other personal info from contractors in order to pay them for their services rendered. Marketing is sending data back and forth between the sales and channel partners. Human Resources is collecting the personal information of employees to accomplish various tasks, such as setting up health insurance and investment portfolios. The list goes on.
The fact of the matter is that much of the movement of sensitive data moves across an organization’s email servers with minimal security controls in place. If you consider all the data that is sent every day and even archived, it makes it very hard to know how much sensitive data is out there. Much of it may also be redundant data, which exacerbates the problem of knowing where data is at any given time.
2. FTP Servers
FTP (file transfer protocol) is as old as email and is used far more often than IT pros would like to admit. FTP has many use cases, but sending large amounts of data internally and externally is the primary purpose. The problem is that FTP by itself is inherently insecure without the proper encryption and password protection in place. Without good encryption standards in place, FTP is highly susceptible to MITM (man-in-the-middle attacks). Even password-protected FTP servers are easy to crack. As we know, passwords are the weakest link in security. Many employees use the same password for multiple accounts, personally and professionally, which means if one password is exposed in a data breach, everything that an employee has access to is at risk.
What’s worse is that FTP servers are straightforward to set up, and everyone in an organization may end up using one if IT allows this. This can lead to FTP sprawl that becomes and maintenance issue for IT. IT will have trouble having visibility, much like email, as to where sensitive dat resides in-transit and at rest.
3. EFSS Tools
Enterprise File Synchronization and Sharing (EFSS) is a popular way to move and store data internally with other employees and externally to 3rd parties and partners. Some products that fall into this category are Google Drive and Dropbox. The biggest reason these tools are so popular is that it makes moving large files, such as photos and videos, easy to move quickly. And although these tools are getting better at security and compliance, they still aren’t the best way to move sensitive data.
One of the most significant issues that IT has with these types of tools is the visibility of what sensitive data is moving across EFSS platforms.
For example, many times employees will use Google Drive to send data whether it be sensitive or not because most people have a Google account these days and to an employee, this is an easily accessible solution to getting data where it needs to be externally. An employee can share a link to that data, and anyone who has access to that link can download that data. The problem is that these links are usually managed via an employee’s personal accounts. If that employee leaves the company, who's to say that those links are no longer accessible? This is a big compliance and security problem for IT teams. They need the ability to control who has access to that data and when.
4. Cloud Services
As more and more companies move to the cloud or some hybrid cloud environment, a lot more sensitive data is moving through these cloud services. Generally, IT should have good control over who has access to these services and what data is in the cloud. The biggest security consideration for data in the cloud is who is responsible for the protection of that data.
Many IT pros would be quick to say it’s AWS or Azure, depending on which cloud provider you use. However, Microsoft and Amazon have gone to great lengths to limit their responsibility in the wake of a data breach. You need to read the fine print when signing up for these services and make sure that your business is covered in case of downtime or a security mishap. You may conclude after your own risk assessment that certain types of data are better off sitting on-premise, where IT has better control over the security and compliance of that data. Just because that data was stolen on an AWS or Azure server, doesn’t mean Microsoft or Amazon are going to help you out.
5. Movement of Marketing and Sales Data
Data means everything to your marketing and sales organization. Data is the lifeblood that brings healthy leads from marketing through the funnel to sales, which eventually is churned into revenue. The problem is that much of this data is considered personal data in the eyes of the law.
For instance, the GDPR considers personal data as anything that can be correlated to an individual. This could be an email address, IP address, name, phone number, etc. These are all essential pieces of information that marketing and sales need to do their job, but many companies don’t have a lid on where this data is. Of course, much of this data at your business probably sits in marketing automation tools like Marketo or Eloqua, in addition to CRM tools like Salesforce. And that’s fine, but many times marketing and sales may be moving data out of these systems into spreadsheets or onto their personal devices in order to send specific prospect data to partners via email, just as an example.
There are many reasons why this is concerning to IT teams, compliance is the most glaring issue. IT needs visibility into where this dat ais at any given time, and if that data moves off of the standard platforms like Marketo and Salesforce, IT loses all control of that data.
Conclusion
These are some of the main ways employees are moving data and why each solution has its own benefits and downsides. The best way to approach how employees move data is by regularly training employees on the pros and cons of each solution. It is also vital to do a risk assessment of your infrastructure to understand where security loopholes lie. At the end of the day, it doesn’t matter which solution you or your end users are using; your business is ultimately responsible for sensitive data regardless of the tools and services you use.
