The universal constant of every business, regardless of size or industry, is that it has important data, and that data may be the target for theft.
What should be the second constant is knowledge of where the data is located. Once you know its location, you can sort out who has access. This sounds simple, yet so many companies are unable to say with certainty where their data is, who has access to it, and if the information is being afforded the appropriate level of control and protection it deserves. The complexity of the equation is driven by a number of variables, including geographic footprint, personnel, maturation of policy and procedures, industry requirements, and available resources.
During the recent RSA Conference 2014 in San Francisco, I spoke on the topic of knowing if your data is on a hacker's shopping list in the presentation "How to Discover if Your Company's Files Are on a Hacker's Shopping List." There were two key takeaways from this talk: First, if you don't know where your information is, then the likelihood of knowing when it has gone missing is low. Second, you don't get to choose if your information is of interest to unscrupulous hackers set on data theft—they do the target selection. It may, however, be your responsibility to protect those files so they do not take a proverbial walk out the door.
Data loss prevention (DLP) solutions abound and are universally designed to warn of an event that violates established and defined rule sets. And by and large, a good DLP solution will tell you when your data sets end up someplace they are not supposed to go—provided, of course, that you have an understanding of where and how your data is being stored, shared, and otherwise handled. To that end, employee file-sharing risks are a very real concern, from both the "shadow IT" and the "trying to do the right thing, but very poorly" perspectives.
In the first instance, IT is perceived as not having sufficient resources, bandwidth, or interest to assist the group in need of services. This group, usually a talented and clever collection of individuals, takes it upon themselves to build their own infrastructure to get the job done their own way. They build a "shadow IT." The second instance occurs when an employee perceives the system, processes, procedures, or any other constraint as being prohibitive to his productivity and thus takes shortcuts to make them more effective—such as using a third-party file-sharing program so he can work in a mobile environment or making backup copies of frequently used data sets on his local hard drive, but failing to protect the data in accordance with the established InfoSec policy. In both instances, the employees involved do not have any malicious intent, but their actions put company data at risk.
While the days of data secured in safes, safes secured in vaults, and access limited to those with a strict need-to-know only seem to exist now in governmental environments, the key to data security goes well beyond strong locks and protections. The key is data inventory—not simply an inventory of project names or technology keywords, but an inventory that also captures, perhaps through semantics and natural language processing, the presence of concepts and ideation, which would also fall within the category of information that needs a specific level of proscribed protection. Similarly, ensuring compliance with data protection requirements, including regulatory and contractual obligations, may mean segmenting cloud storage and processing to specific auditable environments. Solving these conundrums is a giant step toward answering the question, "Where is my data, and who has access to it?"