Virtru Security Insights

Business Privacy Q&A with Heidi Shey, Senior Analyst Security and Risk at Forrester Research – Part 4

Part 4: What Business Privacy Risks and Opportunities Should Be Reviewed As Businesses Move to Cloud-Based Systems

Leading up to our webinar with guest speaker Forrester Research Senior Analyst Security and Risk, Heidi Shey, we had a chance to ask her to address some of the questions around the challenges organizations face today in terms of ensuring business privacy and data security. We’ll be sharing Heidi’s key insights (and some of our own) in a five part series over the coming weeks.

Q4: As businesses move to cloud-based systems for email and other types of data sharing, what are the business privacy risks and opportunities they should be reviewing?

Heidi: Recognize that data is a living thing that no longer resides in a static location; you need data-centric security controls to ensure that protection travels with the data no matter where it goes — cloud, on-premise, or on mobile devices. On the business side, identify your organization’s toxic data, what is shared and stored in cloud versus on premise, how data needs to flow and how it is used. This will provide the foundation for assessing the privacy risks. To assess opportunities, determine how this data is used, what workflows and business processes it supports. This can help to determine where you might streamline certain processes or identify new use cases for the business.

On the cloud provider side, make sure you understand their security capabilities and controls. Where is the data stored? Who holds the encryption keys? What unencrypted content do they have access to? What assurances can they provide? Have you and your provider outlined responsibilities in the event of a breach? Does your organization have a plan for backup and resiliency? What third-party providers integrate with your cloud provider to offer additional layers of data security or business privacy?


Virtru’s Take

In order to understand your data sharing risks, you must first understand what types of data your organization shares. Most organizations cannot sufficiently do that because they lack tools that sufficiently classify their information or track where data travels.

Instead, organizations tend to rely on a combination of their own assumptions and anecdotal information from their end-users – neither of which provides the degree of certainty required when assessing your company’s privacy posture.

Data loss prevention (DLP) capabilities, such as those included with Virtru, are a good place to start. By setting policies to add encryption, alert administrators, and quarantine messages that contain sensitive data, you can contain certain types of data from travelling outside of your organization. DLP solutions provide safeguards that control the flow of sensitive emails and files, and they can also give you insights regarding which types of data your users most often try to share.

However, locking down risky data with DLP does not solve the full problem. You can prohibit your users from sharing certain information, but that can disrupt critical workflows and derail end-user efficiency. Ultimately, you need tools that allow your users to safely share data outside of your organization, but that also allow administrators to audit and control this data even after it has left your servers.

By tracking where information travels, Virtru gives administrators the insight required to protect sensitive information. They can see this sharing in real-time and act on it even after data has been accessed.

That’s why we advise that organizations use Virtru’s control capabilities for preventative measures as much as they do for remediation. Persistent audit provides you with an understanding of your users’ data sharing habits that can be applied to any security policy or systems that you design.

Ultimately, end users need to share information to do business. To mitigate business privacy risks, IT organizations need to be able to audit and control sharing in ways that facilitate information exchange and don’t impede end users.

Interested in learning more?