There’s a confidence gap exists between IT and their ability to meet regulatory requirements for securing unstructured data such as emails, PDFs and other business files and documents. That’s set out in a new report, “File Sharing and Collaboration Leads to Security Gaps in Financial Services Firms” for the Canadian cybersecurity software and services company BlackBerry.
While regulatory scrutiny and fines apply to both structured and unstructured data, unstructured breaches can be subject to higher penalties because they highlight flaws in internal operations and processes. The report looks at how common such operational risks are and if they are actively identified and addressed. For example, the company’s survey found that most, 65 percent of respondents reported they were uncertain if their business protocols around collaboration and file sharing meet regulatory requirements. One-third of the respondents said they were only “somewhat confident” or “not at all confident” about their ability to meet regulatory requirements despite having policies covering unstructured data.
Alex Manea, Chief Security Officer, BlackBerry said: “Some of the most confidential corporate information is stored and shared in documents, spreadsheets and presentations. If you don’t have an effective way to protect these files across all endpoints, both inside and outside of your network, then you have a big gap in your security strategy. All it takes is for one user to type the wrong name or attach the wrong files in an email exchange, and you have a potentially massive breach to clean up.”
An online survey with 200 US-based IT people in financial services found:
Over one-third of respondents reported either that their organisation has employees using file-sharing applications that are not approved by IT. Employees often use consumer file-sharing systems as shortcuts to get their jobs done, but in doing so, they expose their company to risk.
Breaches of unstructured data come in many forms with internal threats to business file security being more commonplace than external threats.
Only 26 percent reported a breach due to an external attack.
Seventeen percent of survey respondents reported their organisations suffered a data breach at the hands of internal bad actors. This includes disgruntled employees and others, who either obtained access to sensitive information or had access all along and simply distributed the data to unauthorised parties.
More than one-quarter of respondents indicated they had a security breach caused by a simple mistake such as the accidental sharing of sensitive files.
18 percent acknowledged security breaches took place due to lost, stolen, or unsecured devices.
Inadequate separation between the employee’s personal and private life is another source of worry. Respondents admitted to suffering security breaches caused by use of personal email and file-sharing accounts (20 percent) and use of personal software or devices for corporate business (20 percent).
Four-out-of-five respondents said their organisation sends sensitive files via email. When a copy of an email and any associated information (like an attachment) is sent from one user to another, multiple copies of the message are also stored on servers and devices, some of which are beyond the control (and security policies) of the organisation where the email originated.
