Tag: information security

Companies interested in adopting modern file-sharing and collaboration solutions while ensuring information security have three choices. The first choice is to stay the course, with company security the paramount concern and collaboration difficult. The second choice is making sharing information easy for employees and thereby increasing the chance of sensitive data loss and failing to adhere to global data protection regulations. The third choice is to implement secure data collaboration which allows for full collaboration while not impacting the chance for a data loss.

4 Ways To Measure Secure Data Collaboration

One of the most important things you can do as a leader when trying to implement change is to measure the impact of that change through key performance indicators (KPI). While organizations have spent years tuning financial KPIs and even security KPIs (e.g., risk), not much discussion has been had about KPIs to measure Secure Data Collaboration. We are proposing four KPIs that would allow organizations to understand the effectiveness and adoption of Secure Data Collaboration.

One of the biggest challenges with KPIs is that there is no shortage of data. We were recently reminded of this by an information security and collaboration leader who often must report to executives that:

“the KPI should show me what we want users to be doing more of and the
kind of behavior we are trying to change.”

With that guidance in mind, these are the four KPIs that we propose to measure Secure Data Collaboration.

KPI #1: Are we keeping sensitive information in our control?

The metric: Measures the percentage of files downloaded from a trusted file share (e.g. SharePoint) when shared externally, based on the data’s sensitivity.

With Secure Data Collaboration sitting at the center of security and collaboration, we believe it is essential that organizations understand whether they maintain control over their most sensitive information. While some organizations may want to block all downloads, that kind of control may not meet the needs of the business. We recommend having visibility on whether your most sensitive data (e.g., labeled as “Restricted”) stays in your control. This course of action allows organizations to meet the business need to share sensitive information with external parties.

KPI#2: Are our users using Microsoft 365 for external collaboration?

The metric: Measures the number of share creators as well as internal and external users actively collaborating within Microsoft 365.

Organizations are making significant investments in selecting Microsoft 365 (M365) as their platform for modern collaboration. However, some companies only use M365 internally while relying on point solutions for external file sharing, thereby missing out on the additional return of their M365 investment. Therefore, measuring how much your modern collaboration platform is being used to collaborate externally will provide great insight into how much return you are getting on your overall investment. If you are concerned about turning on external sharing or guest access in Microsoft 365, then feel free to give us a call, we can address the underlying security, privacy and compliance concerns 😊.

KPI #3: What type of data is being shared with external collaborators?

The metric: Measures files shared by the sensitivity-level with external recipients.

One of the challenges that information security often faces is reporting on a KPI that is easy to understand. We recommend a data classification strategy that be easily consumed by anyone (red = highly sensitive, orange more sensitive, yellow = somewhat sensitive, green = not sensitive). The goal of Secure Data Collaboration is to allow sensitive information to still be exchanged with external collaborators. As a result, this metric does not aim to sound a fire alarm if highly sensitive data is shared externally. Its purpose is to bring awareness to executives of potential exposure. Many industries have extremely tight rules around what type of data can be shared externally (e.g., Aerospace and Defense – ITAR); however, you still need to share data and collaborate with external parties. Better understanding the potential exposure allows companies to implement appropriate controls to enable Secure Data Collaboration policies.

KPI #4: What is our overall level of engagement with external parties? (customers, partners, suppliers)

The metric: Measures the type of file activity when information is shared. No file activity by the user would represent low engagement, file views by the user would be classified as a medium level of engagement and file opens and uploads by the user would be deemed as a higher level of engagement.

Implementing a KPI dashboard will generate reams of data about the file-sharing activities of your customers. Analyzing this data will allow you to gain better insights into whether your customers are actively engaged with your organization and their potential revenue.

Bringing it all together

We would love to hear your feedback about the KPIs we are proposing in this Secure Data Collaboration dashboard. Please share any other ideas that you think could help effectively measure Secure Data Collaboration. If you would like more information on how to get access to these kinds of metrics, please feel free to reach out and we would be happy to walk you through it. Below is what a sample KPI dashboard could look like as a slide to report back up to your executives.

Sharing Sensitive Data With 3rd Parties at the Cybercrime Tipping Point

In 2019 researchers uncovered a massive “trove” of more than 20 million sensitive banking and financial documents associated with mortgages – not from the banks or originators who actually received the data from consumers – but rather a third party “data and analytics company” who provides various services such as converting paper documents and handwritten notes into computer-readable format.

How much did the banks save, not processing that paper in-house? How much does the embarrassment of having customer data breached, or the potential fines, offset the business case for such a relationship?

The answer is that in the large, it does not. The use of Business Process Outsourcing (BPO) firms is a standard part of most modern businesses. The question is, how to respond to almost daily breaches as we try to enable vendors, partners, and even joint ventures to share information?

In the case of mortgage, the most common use case for a BPO is to do data entry: literally reading the various scanned forms, and typing them into a loan origination system. Do they need a copy of the document that they can save on disk?

The answer is simple: they do not.

You can protect your data and still let them use it by deploying e-Share Trusted Sharing to deliver that BPO a read/edit-only link that expires automatically after you reach the end of your service level with them:

This way you protect your data and still enable the partner or vendor to provide you with the value you hired them to create. It’s a win/win!

Contact e-Share to see how quickly and easily you can get started.

information security security

Zero Trust About Where You Store Content

A tough data breach this week. A sharing service ended up “sending its users shared files to the wrong people“.

The root cause could easily be a software issue, a breach in an underlying system (like a database), or some sort of hack – malware, causing clients to exfiltrate data, or perhaps an intruder doing the same.

This is why large and regulated enterprises block many third-party services. Simply put, it’s hard to know how good their internal security is – or how good the security of the provider they purchase it from is – or how carefully they screen their employees, how thoroughly they retire old hardware, or how much insurance they really have.

And it takes a lot of time, knowledge and effort to verify anything. The average security review costs more than $10,000 and many cost an order of magnitude or more. Why not just ask a simple question:

Where do you store my company’s data, and how do maintain our control over it?

The e-Share platform was designed from the zero trust perspective to resist this type of issue by storing as little customer data as possible.

More specifically:

e-Share can be configured to store no passwords, requiring login via OpenID. Employees login with their corporate account and are automatically provisioned for services per organizational policies.
All shared content and conversations are stored in your organization’s cloud file storage system – OneDrive, GoogleDrive, Dropbox or Box.
Using O365 or GSuite online, our integrations access the global address list, and all email is subject to existing organizational compliance and security processes, from 2FA to virus and malware scanning and domain/recipient blocking.

e-Share is proud to protect the data of companies with a lot of sensitive data the business requirement to share it.

Register for a demo anytime to learn how you can deploy e-Share and enable Secure External Collaboration for your company!

file transfer file-sharing information security

How Not To Communicate With Customers

This week our CEO received an email message, apparently from his bank. And he couldn’t really tell if it was a phishing attack. What do you think?

The email certainly appears to be from the credit union. But the email sender and URL show a different company’s URL. That’s the hallmark of a phishing attack.

A trip to the website of the domain name in question shows that it’s an add-on to a popular email marketing system. Produced by a company with yet another name.

This could absolutely be a phishing attack.

The question now is – what to do? Call the credit union? Do we think they’ll even know what that third-party is? Their own website implies that this email didn’t come from them.

i.e. email should come from [our] email address, not another address

Their site further suggests:

Website links: The safest approach for dealing with email links is to not click the link at all. Logging directly into Online Banking […] is the best way to access your account and any messages pertaining to your account.

Assuming the credit union is following their own guidelines, we can definitely conclude this is a phishing attack. They’ve said very clearly there should not be links in email messages they send, and not to click them, in any event.

Wouldn’t it be easier to tell them just to make sure the link is also under the credit union’s domain?

With e-Share Trusted Sharing and Secure Mail you can communicate securely and compliantly with anyone, anywhere – using your own domain name and SSL certificate.

Recipients can instantly know they’re not being phished, because no third party URLs will appear. And our 100% cloud platform keeps documents and conversations out of insecure email infrastructure while providing fine-grained sharing options from requiring login to insisting on access codes, automatic expiration and much more. And it’s entirely enterprise class, supporting SSO, auto-provisioning and full integration with O365, OneDrive, Dropbox, Box, GSuite and GDrive.

Register for a demo to see how you can communicate with customers without freaking them out.

information security

Securing BPO Data Entry Using e-Share APIs

Earlier this year, a trove of more than 24 million financial and banking documents, was found online.

“…more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life. But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents…”

The files were indexed into a free search engine which was exposed to the open internet. Why? Business Process Outsourcing (BPO). Large companies use “BPOs” to do work they don’t want do perform in-house. One of the most common uses of BPO in financial services is … data entry. Literally, looking at the image of a scanned document and typing it in to some other system.

Most banks and mortgage originators use BPOs. It saves them time and money. The problem is, it can also expose their customers’ data.

The BPO undoubtedly uses a search engine as part of their workflow automation. The bank originating the loan drops a bunch of related, scanned documents into some folder on some server. Those then get picked up by the BPO; a copy is made and indexed by the BPO’s search engine. This makes the document available for the employees of the BPO so they can do their work. The BPO’s workflow assigns each document to an available worker by passing them the URL of the indexed document. The worker reads it and type the values they see on the screen into the web application – probably a loan Origination System like Ellie Mae’s Encompass. When they’re done… well, that’s anyone’s guess. The bank probably tracks the completion of the work – i.e. how fast did it all get typed in.

They should have worried how long the shared document persisted, in this case.

The alternative is not to share a copy of the document. Using e-Share’s API, it takes one call to upload a file to your existing cloud storage (OneDrive, Dropbox, GDrive or Box) and return a URL that provides time-limited, view-only access to the file.

Share the link with your BPO, not the entire document!

information security