Welcome to the first in a series of posts that will review fundamental security features in Microsoft SharePoint 2013. In this first post I will examine the reasons behind information protection as it impacts the security strategy, its adoption, and ultimately the success of your SharePoint security policies and practices.
When I speak about SharePoint security I often start off with a discussion about why organizations secure their information. What reasons drive people to implement security measures to control and govern information? I have found that, for a business owner or C-level executive it may be obvious, but for the average employee it may not be.
To be clear, this article is not intended to deal with an individual’s personal information; it specifically talks to how enterprises or governments deal with sensitive internal business information.
What drives people to secure information?
We’ve all heard statistics about how the information we’re creating and storing is growing at an exponential rate. Many of us now regularly measure database sizes in Petabytes – and the growth is not slowing. In a 2013 eWEEK article, Gartner analysts predicted that enterprise data will grow by 800 percent over the next five years, and that 80 percent or more of that new data will be unstructured. Unstructured data consists of documents, videos, spreadsheets and other content workers create. It is also the most difficult to protect as it can take many forms and is difficult for security system to accurately protect.
We often hear how organizations are centralizing the storage of information in order to promote better collaboration—a business need SharePoint excels at solving—but for many this raises new security concerns. We also know that every organization has some meaningful amount of information that is considered sensitive and we are bombarded with messages from governments, NGOs, consumers, vendors and the media that this sensitive information must be secured, controlled, and properly governed. However, many individuals who own or have responsibility for this information usually treat its security as an afterthought.
Why is that?
With all the statistics and talk about the amount of information we’re generating, the increased security risk of pooling all this information in a central repository, and the serious damage a data leak can cause, why is its security not top of mind?
Based on my 15 years of experience in the security industry working with many large organizations around the world and with many individuals who own content (or are responsible for content), I have developed a theory.
People only feel compelled to secure information when they:
1) have a personal connection to it
2) when they truly understand the risk which exposure of that information poses, and
3) when the impact of such an exposure affects them directly.
In my experience working with data users, when they do secure information it is rarely because it’s the right thing to do. While there are exceptions, in general people choose to treat data securely because it protects them rather than doing it for the good of the organization. This isn’t a pessimistic view. I believe it’s just natural human behavior… at least it is today. Culture may be slowly changing on this front due to the high level of media exposure about data leaks lately, so who knows how people will feel or think of securing information in the next few years. But right now, I firmly believe that users are not thinking about the good of the organization if they treat data securely.
Yet, successful security requires that the end user is motivated (preferably for non-selfish reasons). To that end, we need to examine why organizations are securing data and how to make sure the people of that organization understand why it is to their benefit to ensure security measures are followed.
Let me summarize the cases in which I have seen people (outside the security industry) really driven to secure their information. I’ve categorized each as a set of risks and summed up the specific motivations in a high-level driver.
1. Reducing Your Liability
For many industries, the exposure of sensitive corporate information can have very negative impacts to business. The risks include:
- Compliance violations that result in extremely heavy fines (depending on the industry)
- Sanctions and legally imposed restrictions on business
- Loss of business reputation (bad PR can lead to lost stock value, lost customers, lost market share, etc.)
A business owner or a C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. Since they look at the business as a whole and are tasked with ensuring its success, senior managers are better positioned to understand the risks. They are also more invested in the consequences of a breach as it will be them that must face the fines, lawsuits, and earnings reports. Senior managers may also be worried about their personal reputation as well as that of the business should a serious data breach occur.
The same risks and motivations exist for government department managers. Senior public service managers can easily face the same consequences, including: facing a board of inquiry, budget cuts, loss of reputation, and loss of employment.
Security measures often fail because the average employee may not be concerned about these risks to the business or department. Depending on the employee, they very likely don’t even know what information is sensitive or understand how a breach can affect the organization.
2. Protecting Your Investments
This particular category of risks typically applies to enterprises, much more so than governments. The risks include:
- Loss or theft of intellectual property (know how, designs, plans, budgets, vision documents, etc.)
- Exposure of customer lists
- Exposure of acquisition/merger information or budgetary/accounting data
- Compromising of internal (or external) business systems – which could have a trickle-down effect of loss of customers
Once again, a business owner or C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. This type of data loss can greatly affect the business’ performance. Since business performance is often tied to compensation or bonus packages, senior managers are highly motivated to protect data. In particular, a CIO or CISO will typically be measured critically (or terminated) when these types of exposures occur.
For a typical employee, however, most do not receive bonuses based on company performance and those that do would receive a much lower percentage than an executive. As well, they often do not understand which information is sensitive and how the loss of that information will affect the business. Unless you provide both a clear way to identify which information is sensitive and can effectively motivate employees to secure the data they manage, their ability (and desire) to help protect against data loss will be limited.
3. Public Safety or Mission Success
This category typically applies to government agencies like national defense departments, internal security agencies (such as U.S. Homeland Security), as well as other government departments. The risks include:
- Exposure or theft of classified mission data (which can compromise military missions and endanger personnel)
- Exposure of homeland security information (which can endanger the general public)
- Compromising of critical government services and security systems
In these cases, the personnel that deal with the data involved are typically well trained in how to handle this type of sensitive information. As well, often people go into these areas of work because they have a desire to be part of the public service, or they wish to work in the military or a service that protects the public safety. As such, this particular category may be an exception to the theory I put forward earlier.
While there have been some high profile leaks of classified government information in the last few years, in general the people that work and deal with this type of information do tend to protect it. People dedicated to public safety understand the very negative and dangerous impacts that can happen with the exposure of data and believe that protecting this information is the right thing to do.
4. Health Information
In recent years, a new importance is being put on the secure management of personal health information and it is an area of interest I have been researching. While this does involve an individual’s information, I am concerned about how hospitals, insurers and government agencies store and manage this information. And, unlike companies that have to protect only personal or financial information, the motivation to protect data exceeds just bad press, fines or lawsuits when there is a leak.
For example, in the state of Florida a personal health identity can be illegally purchased for approximately $56,000. For a non-insured individual, purchasing such an identity will allow them to illegally get access to the victim’s health care, causing the original owner of that insurance plan to have their premiums used without their knowledge. While this can be categorized as a kind of financial theft, more seriously the person illegally using the health identity can cause data within the health record to be modified. For example, if the impostor is blood type is type A, then that data could be applied to the original health record. If the genuine insured needs an emergency blood transfusion but is type B-negative, their health has been put at risk.
In this case, government agencies and health care organizations that manage personal health information must ensure that proper security measures are put in place in order to prevent these types of risks or exposures from happening. In these cases, typically both the administrators and the employees working in the health care industry do care about these types of risks, and are starting to get a sense for the very dangerous impacts that can occur. Traditionally, however, the health care industry has been slow to adopt technology solutions that can help secure data. Thanks to new legislation, the slow adoption of technology that has been accelerating somewhat in recent years.
To summarize, in many businesses and organizations the average person tends to feel a true need to secure information when they have a personal connection to it, or when they truly understand the consequences of exposure, or when the impact of such an exposure can affect them directly. The ideal situation in any organization would be if each and every individual does in fact care about securely handling sensitive information. This is really what we should be striving for, and many of organizations are starting to tackle this head on.
To date, I have found that the best way to create a security mindset is to overtly involve all employees in the organization’s security strategy. This is started with education so that they understand which information is sensitive and how they should handle it. They also need to be aware of the very real and very negative impacts of information exposure, both to the business and to them personally as employees or individuals. In addition, openly discussing security policy and asking for best practice feedback from employees will help foster feelings of ownership and responsibility. Once employees have been educated and have been provided some involvement in the security process, organizations need to overtly foster accountability. This can be in the form of check-out procedures for highly sensitive documents, or by stamping the employee’s name on all documents they access so that if it is handled carelessly it can easily be tracked back to them.
Despite all the tremendous effort and work that has gone into developing some very excellent security technologies, alone they are unable to manage the task of keeping data completely secure. Employees’ willingness and ability to enforce secure governance procedures is vital to defend against both inadvertent and malicious exposure of sensitive information.