On September 29, 2021 Noord hosted a virtual boardroom in association with Tessian. The event consisted of an introduction from Will Patterson, Customer Success Lead, followed by a discussion among senior professionals on preventing data loss in the context of a hybrid working environment.

Introduction

Introducing the session, Will explained that the topic of data loss prevention (DLP) is becoming increasingly relevant, especially as companies adapt to the new reality of remote and hybrid working. According to research conducted by Tessian, over half of IT leaders believe that their employees have adopted poor data security practices, be it emailing documents to their personal account or sending emails to unintended recipients.

In addition, ransomware attacks and highly specialised spear phishing attempts are becoming increasingly common. In that context, Will outlined three key areas of focus for organisations, namely the importance of singling out core threats; looking beyond rules-based systems and approaches when considering human error, insider threats and advanced impersonation attacks; and analysing how experts have architected their environment to protect against complex use cases beyond those that can be easily codified into the “if X, then Y” DLP logic.

Will then introduced an attendee who was representing one of Tessian’s clients in the financial services sector, who explained that a key consideration for DLP is ensuring that controls are data-agnostic and comply with both privacy and data protection requirements. As for threat vectors to look out for, it was felt that protecting all channels is of utmost importance. While there is a temptation to focus solely on DLP from the cloud, companies must ensure that they protect traditional channels such as email, instant messaging and Sharepoint — the core arteries of any business.

Reasons for attending and key challenges

Attendees represented a range of sectors, including aerospace, banking, legal services, oil and gas, and healthcare, and had several areas of expertise, such as in digital connectivity, business change, data architecture, cyber security and fraud investigation. Key challenges included mitigating insider threats and preventing unauthorised access to data, managing best practice and operational requirements, ensuring compliance with regulations across multiple jurisdictions, and keeping up with the various types of data being exploited by malicious actors.

Ensuring data security and control across multiple locations

One attendee noted that they have moved to a zero-trust environment and are employing a Citrix-based model, given that their organisation’s workforce is to remain largely offsite for the foreseeable future. Another had also invested heavily in Citrix and had implemented strict controls, such as ensuring that devices can only be accessed from specific locations. Interestingly, one participant likened the pandemic to “just another regulatory challenge” to which their organisation has been forced to respond and adapt. Moreover, the idea was raised while the technology enabling employees to work from home is quite straightforward to use, adapting the business policies underpinning those processes has been the difficult part. Indeed, many organisations have been forced to loosen some aspects of their policy to enable employees to work remotely and the consequences of those decisions for data security are perhaps yet to be seen.

One attendee said that as their organisation deals with sensitive customer data, it had implemented geofences to ensure that employees are only working from approved locations, along with multi-factor authentication for enhanced protection. While this was seen as good practice, the point was made that employees need to be brought on board as a partnership with the employer. In other words, companies need to place a certain level of trust in their employees, the vast majority of whom have the best interests of the company in mind.

Communicating big security risks across organisations

Participants discussed ways in which organisations can alert non-technical members of staff to security risks, underscoring the need for timely, relevant and contextual training. In one case study, an organisation had made short five-minute training videos, each of which covered contextual security concerns, which had been well received by staff. Short bursts of training over a coffee break were felt to be more engaging and worthwhile than traditional e-learning courses. Other ideas included gamification and cyber scores, ethical phishing and additional guidance on home IT setups. Whatever the chosen method, the aim must be to prevent users from circumventing controls.

Leading on from this, one participant said that their organisation’s security team had received an influx of requests from management teams, asking security professionals to track the behaviour of employees working remotely, including log-in times and productivity. While the security team had refused to do so, the scenario had highlighted the challenges of managing employee behaviour remotely. A couple of comments were made in this connection, namely that monitoring employees could lead to breaches of privacy and employment law, particularly in Europe, where companies must be very clear on why they are collecting data and what they are using it for. Second, the idea that presence in the office equals productivity was seen as a cultural problem which must be weeded out.

Data loss prevention as an ongoing challenge

As threats become more sophisticated and more numerous, it is becoming increasingly challenging to ensure data loss prevention, especially as endpoints are dispersed. Many participants agreed that data loss is rarely the result of malicious insider threats. Companies should therefore strive to raise awareness of cyber security and make employees feel trusted rather than punished, which in turn would encourage them to report suspicious behaviour and prevent insider attacks in the first place. The point was raised that while background checks in the Western world can prevent insider threats, vetting in less developed countries is often ineffective in the absence of a centralised police database.

Data classification and categorisation

One participant felt that while classifying data sounds good in theory, many employees tend to opt for the default level of classification, thus rendering the exercise rather pointless. Moreover, dealing with unstructured data was seen as a minefield. Will underscored that, by definition, data classification is rather context-agnostic, meaning that what is authorised data for one individual in the data chain might be unauthorised for another. This requires a more layered approach to classification which takes into account different levels of permissions. When asked if they had attempted to adopt a more nuanced approach to data classification, attendees said that they hadn’t, perhaps because of the complexity involved.