How do you reign in data communications, not only between computers, but between humans?

1.4k views3 Upvotes6 Comments

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
For me, it's defense in depth and least privilege. I hesitate to use the phrase Zero Trust, but it's also entitlement-driven. We have thousands of entitlements in the company. The typical employee can't go to most internet websites, and can't download or install software. You've got to go through an IT process in order to add software, endpoint detection and response (EDR). You can't plug in a USB device, or send documents out without an entitlement. We don't use Box anymore. We don't use Dropbox.
Chief Information Security Officer in Healthcare and Biotech, 501 - 1,000 employees
An issue we’re dealing with is how we exchange healthcare data, etc. with partner providers. We have 18 different identifiers within protected health information (PHI data) which need to have certain policies assigned to them so they’re not overshared or disseminated unnecessarily. How do we control the data and, if we can control it, where exactly is the measure of shared responsibility between us versus the providers/partners? One thing that helped was having a bastion host between ourselves and the providers so that we can actually strip off the PHI data before it leaves our control, so there are better definitions around what the policy is.
CISO in Software, 51 - 200 employees
I worked at one pharmaceutical company where we didn't want to leak any data at all. We decided that no file is ever going to leave Box. We disallowed sending file attachments. Everything sent outside the org was in preview-only mode, and external people had to open it up in Box to see it. They could take a photo with their camera, but who cares? We were doing everything possible to protect that document. It was 2014, so it was weird at the time but it worked well and people got used to it. It was Box's idea to keep everything on the platform so that we didn’t need all of the other tools I was looking at. There's everything out there to be secure, but I don't know how to apply the same approach to software companies because everything's pure chaos after coming from pharmaceuticals. In software, it’s crazy trying to reign that all in.
CTO in Software, 11 - 50 employees
First and foremost, you need to implement and continuously maintain proper *authorization* (AuthZ) policies in addition to (strong) authentication (AuthN) requirements to ensure that there are levels of data access and sharing between end-users. Too often there are "Allow Everyone" policies out of either negligence or laziness. Combine that with proper logging, as well as a regular cadence of communicating the importance of this (aka: "why") to your end users.
Director - IT Infrastructure - Databases and eBusiness Specializing in Information Technology in Retail, 1,001 - 5,000 employees
We have set up a policy to deal with different kinds of data by resources, We have made clear segregation of duties and we have annual training to deal with data and how to share and whom to share. We define a clear workflow for data which is with human interactions and addressed with the policy and procedures
Director of Information Technology in Education, 201 - 500 employees
I think these are two separate (but weirdly related) issues.  The pandemic certainly changed things - people who are very social were stymied and have sought other ways of communicating.  And the primary issue here, I believe, is the separation of work from home.

From a computer standpoint, that's the easiest.  Simply map out what directions information needs to flow, set levels of access, and set up enforcement technology.  These are all technology fixes - ACL's end-point-protection, firewalls, etc.

But security is only 20% technology - its the 80% people that scares the heck out of me.  According to the Department of Homeland Security, 94% of the breaches last year occurred via a phishing email - so this makes the end point (both the computer and the person) the weakest link.

Obviously you start with technology, but then follow it up with strong policies, strong standards, and enforceable actions when there is non-compliance (yes, I'm talking termination).  Smart people do dumb things all the time.  Education is obviously the first step.  I's also recommend including people in desktop exercises - folks who normally wouldn't participate.  It gives them a much larger view of the picture.

So, in short - technology, training, but planning is the first step.  And part of that planning needs to include establishing baselines, so you know what abnormal looks like.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
47.1k views133 Upvotes325 Comments

Improving customer experiences8%

Improving efficiency in business processes59%

Enhancing data-driven decision making19%

Refining IT operations & infrastructure7%

Driving innovation & new product development3%

None of these (No current plans to experiment with gen AI this year)3%