As organisational use of communications tools to share relevant data with third-party suppliers and partners spike, a lack of attention paid to security is cranking up risk levels, according to a global study of 781 IT, cyber and risk and compliance pros, 29% of which are drawn from EMEA geographies, which was conducted for Kiteworks, a specialist in the field.
In its study, Kiteworks 2023 sensitive content communications privacy and compliance report, the supplier revealed evidence of “serious gaps” in digital rights management (DRM) policies in this area that are exposing organisations to trouble.
In particular, it said, many lack tools to track, control and secure the data that is sent to or shared with third parties, creating a significant risk of unauthorised access, whether that be malicious or accidental.
“This … report accentuates the need for digital rights management that applies content-defined zero-trust across all departments and all sensitive data that is accessed, sent, shared, and transferred to third parties,” said Frank Balonis, CISO and senior vice-president of operations at Kiteworks.
“This cannot be done piecemeal but rather requires unified tracking and control to the level of individual users. The report also highlights how organisations are using cyber security frameworks such as NIST CSF [the National Institute of Standards and Technology’s Cyber Security Framework] to manage their security and compliance risk.
“This corroborates the direction Kiteworks has taken to align our Private Content Network with NIST CSF, which creates more comprehensive digital rights management governance,” he added.
Too many tools
A big part of the problem would appear to be the number of systems and tools used by organisations to track, control and secure their communications with third parties, with 84% of respondents saying they used over four such services, and 85% saying that they had experienced four or more sensitive content communication exploits in the past 12 months.
A slightly smaller proportion of respondents, approximately 75%, could admit that they needed some level of improvement in how they measure risk relating to sensitive content sharing.
On the flipside of this coin, the survey found that less than 25% of respondents said they managed or restricted third-party access to their sensitive data.
Therefore, said Kiteworks, organisations are in need of a “do-over” when it comes to DRM, and 42% of respondents agreed that they needed a completely new approach, or at the very least significant improvement, in this area.
In particular, respondents wanted the ability to employ compliance and security policies at the user, role, or content class level, rather than allowing individuals to manually classify each asset as they went along.
PII the biggest concern
Asked to rate the sensitive content type that poses the greatest levels of compliance and security risks, respondents unsurprisingly said that personally identifiable information (PII) was top of the bill, over intellectual property (IP), legal documents, information on mergers and acquisitions, financial documents and other types of content.
Kiteworks said this worry could be pretty firmly correlated with the ever-growing list of data privacy laws and regulations, ranging from the General Data Protection Regulation (GDPR) in Europe and the UK, to the more piecemeal approach being adopted in the US – new laws are taking effect right now in Colorado, Connecticut, Utah and Virginia, and four more states plan to implement such directives in the next two years.
Asked which communication channels posed the greatest risk, respondents identified email and web forms as the most dangerous. However, here Kiteworks found differing attitudes across verticals, with organisations operating in energy and utilities more concerned about proprietary file-sharing services, financial services organisations fretting about web forms, and email seen as the biggest risk in technology, and security and defence.
Respondents did tend to agree that multitenant cloud hosting of such tools was an overriding concern, given the ability of threat actors to exploit one application or dataset and move laterally to other tenants.
Four steps to lower risk
Summing up its lengthy report, Kiteworks outlined four steps that organisations can try to take right now to lower risk around data-sharing:
- Taking a more holistic approach to compliance – especially for those in the US, where organisations would be better advised not to focus on a tickbox approach to individual states, but rather establish universal best practices that adhere to all of them, such as those outlined by the NIST CSF;
- Taking a more holistic approach to how organisations categorise data, doing so in a more granular way and making these siloes easily available to those who genuinely need to access them, while locking them down for everyone else;
- Following on from this step, improvements to insider risk management practices are needed to guard against malicious and accidental good-faith disclosures;
- Finally, enacting more comprehensive cyber protections, as criminal gangs and nation state APTs alike recognise the value of sensitive content and ramp up their targeting of the tools used to share it, understanding and vetting the security features of these tools will become ever more critical.