Communicating the Data Security Risks of File Sharing & Cloud Storage
We asked 34 data security experts how companies can best communicate the security risks associated with file sharing and cloud storage to employees - see what the experts had to say.
With more enterprises moving to the cloud and more employees using file sharing and cloud storage services in the course of conducting business, effective communication regarding the inherent security risks associated with cloud computing is imperative. Cloud applications enable employees to create, store, and control more data than ever before, but with these new capabilities comes increased risk to sensitive enterprise data. As a result, cloud adoption must be met with a heightened focus on extending data security measures to the cloud.
Effective cloud data protection begins with educating employees on the risks of sharing and storing information in the cloud. But how can companies best communicate these risks along with the appropriate security measures to mitigate them to employees in the modern cloud landscape? To find out how today's security leaders are handling employee education surrounding data protection in the cloud, we asked 34 business and security leaders to answer this question:
"How can companies effectively communicate the data security risks of cloud storage and file sharing to employees?"
See what our panel of experts had to say below:
Meet Our Panel of Data Security Experts:
Paul Kubler, CISSP, CCNA, Sec+, ACE
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
The best way to communicate security risks associated with cloud storage and file sharing is...
Cloud sharing has become prevalent among many workers who want to share documents but don't feel like using physical media to transport them. This may be because the files are large, USBs are restricted, or email filters catch the documents. This can present a problem in collaboration that cloud storage and sharing has fixed for these users. The problem then lies in how that is being done, as it can present security risks.
Companies need to find secure alternatives for their employees to share documents that they can deploy at the enterprise level. Without this, employees may use a plethora of free vendors, have numerous accounts, and none are being audited or monitored. Worst of all, many employees use the same passwords for these programs as they do for their company passwords and they take little security action into these tools. A company needs to standardize cloud storage and regularly upkeep it to maintain a secure document storage center.
The best way to communicate these risks is through regular training sessions followed by quizzes to ensure all employees understand the basics. These can be followed by the blocking of unapproved sharing centers that may be used to exfiltrate company data or maintain the data which is being accessed by malicious agents if they were not secured properly by employees. Training can also be conducted on general security to make sure that, even if employees are using a cloud-based storage service, they will keep it secure.
Carlos Pelaez is the National Practice Leader for Coalfire’s practice area, focused on serving Service Organizations and Internal Audit departments. He provides the framework and methodology to local audit teams so that they may be well-equipped to validate compliance and cyber security needs for cloud based solutions.
My recommendations for communicating security risks associated with cloud storage and file sharing are...
I am a national practice leader for the cyber security firm, Coalfire Systems Inc. We primarily work with cloud solutions and evaluate cloud security on a daily basis.
I provide training to employees on cloud storage and also evaluate solutions that Fortune 1000 companies have rolled out. I have seen many good, and bad ways to go about this.
Here are a few GOOD ways:
1. Depending on the system, a link to the cloud storage or file sharing service can be accessed without a user name and password. For example, Dropbox lets you send a link to secure files where you can select whether anybody receiving that link can open the file, or just the people to whom the link was explicitly emailed to can access it. Highlighting these nuances is important, because that is what security is all about: nuances. Employees have to be thinking in a way that shows a deeper appreciation for how much of an impact checking a box, or not checking a box, can have on their security.
2. With so much data in the cloud, many employees can feel like there is no real secure method. This defeatism attitude creates a culture of being resigned to weaker security because employees let the lack of knowledge dictate their default decisions. Cloud solutions are not so different from typical solutions that security has to be automatically ignored. Security is part of every solution, and explaining to employees how the technology works and where the security sits within the model is important. Without losing the fear that cloud is a nebulous and abstract concept, security will continue to be an afterthought for employees.
Here are a few BAD ways:
1b. Scaring employees with tales of what went wrong is one way to get the conversation going, but can also backfire if the story is not followed with clear, easy to follow guidance. Many companies use recent breaches as a reason why security should be improved, but fail to bring a vision that helps employees make sense of the risk. A wider vision that fits with the company's strategy needs to work in unison with all information disseminated around cloud storage and file sharing.
2b. Another terrible path to take is to completely shut down the ability to use cloud storage and file sharing technology. Defaulting to NO for everyone will only create loopholes and circumvention of the security policies in place. Employees should not be restricted from using tools without being provided clear alternatives, because they will find a way around it. If file sharing is made too difficult, or cloud solutions are disabled, the organization will lose sight of what is being used by employees and, with it, the ability to influence poor security usage.
Jeff M. Spivey
Jeff M. Spivey, CRISC, CPP, is president of Security Risk Management, Inc. He is also a founding member of the Cloud Security Alliance and a member of ISACA’s Governance Advisory Council.
The best way for companies to effectively communicate the data security risks in cloud storage and file sharing to employees is...
In most instances, employees and other users of IT systems want to do the right thing to minimize cyber-related risk. However, they do not consistently understand what a cyber risk may be, why it is a risk, and what their individual role is within the entire organization’s plan to manage these risks.
To ensure employees understand their role and responsibilities for the protection of all digital assets, a communications plan should not be ad hoc nor left up to distributing a large cybersecurity plan document with no practical dynamic conveyance of knowledge. So, proper initial and dynamic training is essential to assure all users of the IT systems follow the organization’s standards for proper use of organizational data and information.
For example, both the data security risks in cloud storage and file sharing present the risk of confidential information being stored outside the organization’s control. Further assurance is needed that certain controls are designed and implemented by the organization and being used appropriately by all users. Organizations need to determine their needs for security and then work with cloud providers that use these controls. Appropriate communication, training, and testing is required for consistency - not only for employees, but also for the third-party services of cloud storage and file sharing.
Communication with employees includes:
- What is cloud storage and filing sharing?
- How do people use it?
- What risks are there in using cloud storage and also sharing files using third-party cloud storage, such as DropBox, OneDrive, Google Drive, etc.?
- What does my organization want me to do to best protect against risk in these environments?
- What are my organization’s standards in preventing and reporting of incidents or violations?
It is extremely important to dynamically ensure that organizations are effectively communicating the risks and proper organizational actions to be used in the management of these risks. One very effective technique is using the technology of e-learning modules for various training, providing short, consumable, easy-to-understand (non-technical) information and guidance on each risk category needed. This e-learning module should be set to repeat at set intervals or when the module/guidance is updated or changed.
Finally, the overall cybersecurity program for the organization must have policies and directives aimed at protecting against cyber risk. The organization has to develop a specific and customized set of digital risk management standards. Doing less than this is doing less than you should.
Mauricio Prinzlau is a cloud storage expert at Cloudwards.net. Prinzlau has written hundreds of articles all around cloud-related topics and done several interviews on cloud storage security.
The best way to educate employees about the risks of file sharing and cloud storage is...
Communicating cloud storage security to employees is crucial for any company or organization. More and more companies follow the BYOD (bring your own device) movement, which could expose company data to outside cloud services or other third parties. Companies should make an effort to explain that services like Dropbox do not offer proper (local) encryption. If you speak with non-technical people, the best way to explain the issue is with the help of a metaphor.
Employees should always ask themselves, would I leave the door of my house unlocked to buy some groceries? Probably not. The same thing applies to devices brought in to the company network. If they are not properly locked and controlled, some people may break in and steal from you.
Executive Coach, Author, and Professional Extraordinaire, Chavaz is a referral-only Speaker and Executive Consultant who has worked with companies in the private and public sectors including the leadership of Fortune 200 Companies.
Chavaz provides a one of a kind, always innovative approach to leadership, management, employee motivation, compensation vs. reward, and executive development.
He has spoken at the headquarters of the global leading semiconductor corporation, Qualcomm, Inc., and has also provided coaching and consulting to C-Suite Members of the Bay Area Rapid Transit [BART] in California.
The most effective way to communicate the security risks involved with file sharing and cloud storage is...
Employees do not fully understand what the cloud is or what it is capable of. In order to communicate risks of utilizing the cloud for storage, employees must first be educated on the cloud and its benefits. Most employees know that they can store documents on the cloud, but that's the extent of their knowledge.
Employees must be educated that cloud service providers are companies and corporations like any other. As such, cloud service providers can be prone to security breaches and, as was the case with Nirvanix, a cloud service provider can file bankruptcy, leaving employees with very little time to retrieve or secure information that may or may not have a backup.
Employees need to be educated on the cloud itself. Having this understanding will open up the dialogue to security and other concerns about the cloud and network sharing.
Bill Hargenrader is a Cybersecurity Manager and Senior Lead Technologist at Booz Allen Hamilton, a fortune 500 technology and strategy consulting firm. Bill is also the author of the Next Level Life, a blog dedicated to helping people reach their goals and realize their full potential.
For communicating with employees about security risks associated with file sharing and cloud storage, I recommend...
One of the issues with effectively communicating data security risks is the personal disassociation of the consequences with physical reality. I often use this analogy to hammer home this point: You wouldn’t leave your keys in the door at home would you? Or store your credit cards in your mailbox? We need to start thinking of our cloud storage and file sharing in that same light, as an extension of our personal physical domain. When we call it the cloud, it’s as though it’s otherworldly, or out there somewhere. That “out there” is a tangible location accessible by far more people than randomly pass by your house and may happen to see your keys in the door. It’s important to take personal responsibility for cloud security, but as an organization’s IT and cyber leadership, it’s also important to ensure the most secure solutions are put in place.
James Pooley, former Deputy Director General at the World Intellectual Property Organization and trial lawyer in Silicon Valley for over 35 years (patent, trade secret and technology litigation), has taught trade secret law at UC Berkeley and served as President of the American Intellectual Property Law Association and National Inventors Hall of Fame.
Mr. Pooley is an author or co-author of several major works in the IP field, including his treatise Trade Secrets (Law Journal Press) and the Patent Case Management Judicial Guide (Federal Judicial Center). His new book, Secrets: Managing Information Assets in the Age of Cyberespionage, will be published in 2015.
When it comes to communicating security risks to employees...
Employees usually don't think about security threats. This problem is especially acute with the Facebook generation, who have been encouraged to share the details of their lives online and to expect that any kind of information is always available for free. These employees are used to swapping files with friends and using the cloud to store and access photos and music. They routinely bring their risky habits and hardware to the workplace, where their smartphones can access the company network. The best software tools can effectively manage personal devices, but companies also have to manage the individuals that use them. And the most important part of that management is training.
However, training that's only occasional, or that tries to beat in the message with threats, doesn't work. Staff training should be careful, continuous, upbeat, and professional, so that employees learn that corporate hygiene is a world apart from how they deal with information in their private lives. Independent training providers do a great job, but don't miss the chance to include the company's senior managers in the process. Leaders should communicate to their teams the importance the company puts on management of its data.
While stories of loss and mistakes from outside are useful to establish the horrible consequences of a breach, it's helpful to highlight the company's own initiatives, and especially actions by individual employees, that have helped avoid a problem. Good training is the best (and most cost-effective) way to ensure that employees use the corporate cloud and file sharing the way they're supposed to, instead of the way they do it at home.
Morgan O’Mara is the digital marketing content coordinator at Record Nations. She attended Michigan State University, where she received a bachelor’s degree in Digital and Technical Writing. Since college, she has studied cloud infrastructure and has been working in the cloud industry.
My recommendations for companies wanting to communicate with employees about protecting data when using file sharing and cloud storage are...
There are steps companies can take to protect their electronic data:
Many electronic document management software allows for different permissions to be developed for different departments or individuals in the organization. This is to help with the security of the information stored in the cloud.
A legitimate cloud backup or storage service will encrypt the data while it’s being transferred to the cloud server and as it sits on the cloud server. As another precaution, employees should make logins with strong passwords and there should be a limit to the number of employees that have access to critical files. This can help you ensure your files will never be compromised.
Companies should clearly explain to employees the cost of a data breach. Data security is extremely important to companies because it could potentially put them out of business. Employees should know these risks and understand why it is important to take precautions against security breaches.
John Luludis cofounded Superior Technology Solutions, based in Pearl River, New York, in December of 2009. Prior to his start at Superior, Luludis served as the Senior Vice President of global shipping provider, DHL, and as the Director of IT Operations for both the car and truck divisions at Volvo.
Companies can communicate the security risks associated with file sharing and cloud storage by...
Companies can effectively communicate data security risks/requirements through their information security policy, covering the use and access of all company information across all storage mediums. Effective information security policies are supported by information security standards and procedures that categorize corporate information while providing guidelines for the access, use, dissemination, storage, and removal of company information from storage devices. As a result, employees can clearly understand what type of information can be shared and what storage mediums are eligible for use for each category of information. This approach will enable companies to establish a consistent and manageable process as it relates to the secure use, access, and storage of company information.
Aaron Ross is a nationally known cloud and cyber security expert who has appeared on Fox News, Yahoo!, CBS, and more. Aaron owns his own cloud site, RossBackup.com. When not dealing with the company, Aaron can be found giving parenting and/or teaching classes.
To communicate the security risks of file sharing and cloud storage, companies should...
1) Require password changes every 30 days. This can be set automatically through most databases and ensures that employees don't use duplicate passwords.
2) Have quarterly brief team meetings to discuss security protocols.
3) Don’t use pop or imap e-mail for file sharing. In most cases, it’s a lot less secure. A dedicated e-mail server is the best route.
4) When it comes to file sharing you want to make sure employees are using reputable sites only. This means you should disable all but the most common e-mail attachments (Word, Excel, PowerPoint, PDF) and disable links in e-mails.
5) Make sure the cloud site you are using is secure. At Rossbackup.com, we use AES-256 Security. We also don’t share customer info. Meaning, if someone wanted to get your info, it would be a lot easier for them to steal your computer than to try and get it from our cloud service.
6) Don't log in to your cloud from any location that’s not secure. For instance, don't use the Wi-Fi in Starbucks to access your personal info – it's just not smart.
7) Keep your private information organized. Very often, people allow access to the wrong information not realizing what it is. For instance, if you are using your cloud at work, don't put things like sex tapes on it.
Amit Cohen is the Co-Founder and CEO of FortyCloud. Before co-founding FortyCloud, Amit was VP of Product, and before that, CTO at ECI Telecom. During his 13 years at ECI, Amit led the development and integration of cutting-edge technology projects for some of the world's leading telecom operators. Amit has a BA and MSc in Computer Science from the Technion and an EMBA from the Kellogg School of Management.
To effectively communicate with employees regarding the risks of file sharing and cloud storage, I recommend...
Since internal hacks represent a significant source of data breaches, instituting secure access management policies is crucial. As an increasing number of employees are accessing the organization's data remotely, risks are even greater - including the risk of theft and loss of mobile devices that can access an organization's resources.
The cloud has long suffered from the stigma that it is less secure than onsite data centers; however, safeguarding data depends more upon access protocols and testable firewalls than on the physical location of the data.
Best practices, for cloud, hybrid, and on-premise environments involve protecting both the data and access to the data. Proven encryption technologies should be invoked to protect sensitive data at rest and in transit.
Strong access management requires two-factor authentication, which adds a second level of authentication beyond the basic user name and password to prevent identity theft. Ensure that access to your cloud servers is identity-based, and authenticated. In addition, accurate logging and alerts assist in uncovering security issues and patterns.
To ensure cooperation and vigilance on the part of employees, organizations must bring their staff on board from the outset and involve them in the planning and implementation of security policies. In parallel, they must institute centralized identity-based access control and authorization, and enforce safe BYOD policies.
David Miles is the Information Security Manager at Six Degrees Group, a converged technology solutions provider. He has an excellent knowledge base in many security and intelligence disciplines developed during a career spanning the military/commercial/government environment.
To effectively communicate the security risks associated with the use of file sharing and cloud storage services, companies must...
We think an ongoing and fluid approach is best, as cloud technology is in constant flux. Ultimately, however, it's implicit that our employees have a firm understanding of our cloud model because, after all, it's our model! Our priority is ensuring our team can answer any incoming queries and communicate to our customers any factors that may present a risk to their organization.
For this reason, we run training programs for new staff to bring them up to scratch with our cloud model and maintain their awareness by discussing any issues as they arise. If an issue becomes prominent in the media, for example, we will send internal communication explaining it and giving a relatable description of any risks that may present themselves to our staff.
We would recommend that companies follow a similarly ongoing approach for their staff to prevent any mistakes from happening. They may find our approach helpful:
- A robust induction program for staff, including a range of examples of cloud security risks and explanations on how to prevent these
- Regular awareness sessions to highlight any new issues that may present a risk to the organisation's cloud security
- An open policy of internal communication so that employees can comfortably ask questions that may arise around these topics
- Set up an AD (archive directory) that is access-controlled, so that sensitive files can be kept behind limited access - this prevents accidental damage/deletion
Carl Mazzanti of eMazzanti Technologies is continually in touch with the data security space and works aggressively to help his clients make the best security technology decisions. Mazzanti's opinions are informed by 14 years of consulting with growing businesses in the NYC area and internationally. As Microsoft, HP, and WatchGuard’s partner of the year, eMazzanti Technologies has built the organization on data security and helping its customers by implementing data security policy and technology.
Companies seeking to communicate with employees regarding the security risks of file sharing and cloud storage should...
While shared cloud resources are efficient and can offer ease of use, they present a different set of human resource and security challenges not envisioned by many organizations. From company policies, to management communications and ongoing education, companies sharing their data in the cloud or with synchronization-based tools need to focus their security and educational efforts on data movement and the protection of that data. Staff who utilize cloud resources today often connect from non-secured devices. These devices might lack malware protection, updates, or any company policies for data protection. Further, the end-user (staff member) might be connecting to an open access point where the wireless traffic is being intercepted and replayed for malicious purposes. But more often than not, the simple loss of a mobile phone or portable media (laptop / tablet, etc.) containing unsecured company data is never reported to the proper administration within the organization. The data leak has the potential to be business-terminating in almost all scenarios. Communicating these facts via company policies and ongoing education will go a long way towards improving data security. Companies should trust their employees but verify that policies are being followed with regular security audits, preferably from an objective source.
Frank Brandshaw is the founder and Chief Security Officer of Hoike Technologies.
When it comes to communicating with employees about the security risks associated with file sharing and cloud storage, companies should...
Have an open and active security communication plan. Tell everyone you have an open door and are willing to help them. Second, I have lunch-and-learn sessions where I disseminate new information. I would explain to employees things like cloud storage (DropBox, OneDrive, Google Drive, etc.) and their dangers. And finally, in the enterprise, most organizations should block open access to Dropbox and the like. Unmonitored cloud storage use can expose company documents you may not want to be shared.
Morgan Wright is a recognized expert on international cyber security and U.S. law enforcement. He has been an advisor to the Departments of Justice, Defense and Homeland Security, U.S. State Department, and he has held global executive positions at leading IT and Telecommunications companies. He has also trained thousands of law enforcement officers in the investigation of computer crime, including the FBI.
Companies can effectively communicate the data security risks of file sharing and cloud storage by...
They need to make it personal. No one cares about some faceless person in another company or country. Put your own company face on it and show how using unapproved services will lead to a data breach. And, most assuredly, a data breach will lead to theft of company information, intellectual property, personally identifiable information, and more.
File sharing is like giving out copies of the keys to your front door to anyone who asks. It’s a favorite tool for cyber criminals looking for access to your corporate network. Cloud storage means you don’t have any idea where your information is. And if it’s information that shouldn’t be out there, good luck getting it back.
What does this mean? Loss of jobs, revenue and competitive advantage. It also means 1 out of every 18-20 people at your company will be the victim of identity theft this year. All because someone clicked a link. Because there’s no immediate harm, employees don’t understand the risk. If clicking that same link caused HR and security to come up to you AT THAT EXACT MOMENT and escort you from the building with lots of fanfare (like they do in Las Vegas when they catch a cheat - it’s called deterrence), everyone would think twice, maybe even three times.
Born in 1974, Ashot Oganesyan studied Mathematics at Russia’s Moscow State University of Electronics and Mathematics. In 1996, he founded DeviceLock, which today has over 66,000 customers and 4 million endpoints deployed worldwide. Ashot coordinates all software development for DeviceLock and guides the overall strategic vision and product development roadmap. He has recently invested in Clouderian, a secure cloud data storage for enterprises.
When it comes to communicating the data security risks of file sharing and cloud storage, I recommend...
The only way to keep your company's data both within easy reach and safe while stored or shared is to use the most appropriate cloud solution which matches your real-world business needs and specific data security requirements in full. Unfortunately, none of those world-famous B2C services that you thought of first is likely to be a good fit. They just cannot make sure you do not lose sensitive data, and in the end, maybe even your whole business in the event an employee's password gets compromised, or he loses his logged-in tablet while on a trip, or shares some file with a stranger by pure accident, and so on. But fortunately, there are many enterprise-oriented cloud storage providers who are obsessive about the security issue. It's up to you to choose the most comprehensive and convenient option and avoid missing a relevant challenge point.
There is a vast variety of functions you might need. But anyway, you definitely should require that the cloud storage you chose is supplied with a data loss prevention (DLP) solution that would provide you with comprehensive control over your company's data usage, including employee profile policing and alerting of unauthorized attempts to access files, and to ensure the sensitive information is promptly identified and finely secured against compromise. In case anything even remotely significant is contained in image/photo files, the best service should be equipped with an optical character recognition module (OCR). All in all, what you need is fine-grained control over a full range of data leakage pathways at both context and content levels, which blocks the disclosure of data on the basis of various compliances: Sarbanes Oxley, PCI DSS, Combined Code on Corporate Governance (UK), Graham Leach Bliley, FACTA, Basel II, or HIPAA.
Also important is considering the location. If you find some data that doesn't absolutely need to be accessed everywhere and you can name wanted and unwanted territories, just go ahead and look for a cloud system with geolocation control to minimize the risk of data leakage in this way, too. With the rise of positioning technologies, especially hybrid ones, the location-based data protection becomes a must-have and brings cloud storage and sharing security to the next quality level when combined with other DLP settings.
In conclusion, not all clouds are bad. Just find a safe one.
Jaq Andrews is a Marketing & Technology Specialist for Zco Corporation, one of the largest app development companies in the world. He also writes a monthly tech column.
My recommendations for companies seeking to educate employees about the data security risks of file sharing and cloud storage are...
It’s not actually all that difficult to use cloud storage in a secure manner, but clear guidance from employers definitely helps. Workers are going to use cloud storage no matter what, so it’s best to have a company-approved solution for doing so. Whether that’s a well-known service or some kind of custom solution depends on the company’s needs.
Make sure that everyone who needs access to shared storage has it, and that it’s trouble-free. If it’s not easy, employees will just bypass it.
It’s not a great idea to share a password, but if you do, ensure that the right people have it, and change it whenever someone leaves the group.
Remind folks that ANY device on which they access a cloud service is a potential security risk. If an employee loses a personal phone, IT needs to discuss what passwords need to be changed or accounts need to be disabled.
Peer pressure can be useful! If everyone’s using FileBunny*, the one person who uses StorFlake* will find it hard to collaborate. Don’t accommodate the non-team-player. Encourage people who are cooperating to convince Mr./Ms. Non-Conformist to get on board and help everyone do their jobs more efficiently. (Note: Names followed by * are not actual services as far as I know.)
Bill Ho is the the CEO of Biscom, the leading provider of secure file transfer, fax, and enterprise file synchronization and sharing solutions for the enterprise. He has over 20 years experience in the technology industry, heading security initiatives, and most recently participated in the Harvard Business School's panel on cyber security.
Companies can educate employees on the data security risks associated with file sharing and cloud storage by...
When the term “cloud” first started being used almost 10 years ago, how it actually worked wasn’t quite clear to everyone. Although we have a better understanding now, what isn’t as well understood is how our data that resides in the cloud is protected. And the reason for that is that each service provider who offers cloud storage or cloud file sharing implements security differently.
Risks exist whether files are stored locally within a company’s network or in the cloud, and awareness and acceptance of potential data leakage should be understood by all users, no matter where or how the service is being provided.
Michael Ryan brings over 20 years of software development and business experience to his role as CEO at South River Technologies (SRT). In 1992, he was a member of the initial start-up team of Maryland-based OTG Software (OTG was acquired by Legato and subsequently EMC). In 1996, he started KnoWare, Inc., where he developed Internet drive-mapping technology. In 1999, Mr. Ryan joined California-based online storage startup Xdrive as VP of Client Architecture. In 2001 he joined John Glavin to merge KnoWare with Riverfront Software to form South River Technologies.
Companies can effectively communicate the data security risks of file sharing and cloud storage to employees by focusing on...
One area that many businesses need to communicate more effectively to employees is the importance of strong passwords and unique passwords for different services and technologies, including cloud storage and file-sharing applications. By way of example, last year there was a Dropbox breach - this was not due to Dropbox being hacked, but another service being compromised and those usernames and passwords, which were being re-used by consumers across different services, were then used to access Dropbox accounts. Passwords should be long: ideally 12 characters or longer, containing upper and lower case letters, numbers, and special characters. Companies should implement systems that require long passwords. Employees need to understand that there are significant risks from passwords being exposed. It is a possible weak link where employee vigilance makes a huge difference.
Here are my general guidelines:
1. Encourage employees to use secure passwords - and explain what this means to them.
2. Use unique passwords for each application or service.
3. Stop the sharing of passwords - each user should have their own log in details.
4. Have and communicate security policies, including no writing of passwords on sticky notes.
5. Consider two-factor authentication or IP address checks for business-sensitive applications.
Adam Lev-Libfeld is the chief engineer and CTO of Tamar Tech Solutions, a cyber security and high performance computing firm with around 12 years of clustering and security experience.
Companies can effectively communicate the risks of file sharing and cloud storage to employees by...
One of the best tools an employer has when trying to effectively communicate risks to employees is their unprotected semi-personal data. Computer workers are prone to making data security-related mistakes, and all the new cloud-sharing tools have only made these mistakes more common.
The main thing to remember is that your employee is not an enemy of the company, and treating him or her as such will only make the employee feel reckless and untrustworthy. Allowing the employee, on the other hand, to create habits that are in the company's best interest, are good for both the employee and the company owner.
Treat the employee as a stakeholder in the data exposed, do periodical automated scans for loose files and documents, and show the employees what s out there, but don't limit yourself to company internal information. Search for their exposed personal data, and give them the time and tools to fix with intention what they did wrong by mistake.
Steven J.J. Weisman
Steven J.J. Weisman is a lawyer, college professor, author, and one of the country's leading experts in identity theft and scams. Weisman writes the blog Scamicide.com, where each day he provides new information about the latest scams and identity theft schemes as well as how to protect yourself from them. His latest book is Identity Theft Alert. He has appeared throughout the media as an expert on cybersecurity including Nightline, the Dr. Phil Show, and the Fox Morning Show.
For companies wanting to educate employees on the data security risks of file sharing and cloud storage, I suggest...
Data security today is not served by a once-and-done seminar or alert; it is a continuing process. Whether it is a government agency, a private company, or an individual, by far the most common way that the security of each has been broken is through phishing and spear phishing. A company is only as strong as its weakest link. Too many companies have employees with access to information that they do not need to have access to. Companies should do what they can to continually strengthen their security through the use of a requirement of strong and changing passwords, the use of dual factor authentication (which was available and not used by the celebrities whose nude photos were hacked from the cloud last year), and education that malware primarily comes in through attachments and links in emails.
Certainly, seminars enforcing and then reinforcing best practices for employees to follow is important where specific examples of phishing used in data breaches should be shown. It also is helpful to have employers phish their employees themselves, not with the goal of embarrassing anyone, but emphasizing how easy it is to fall prey to a phishing email. Contests could even be had for employees to come up with their own phishing emails, which would raise awareness and interest.
Michael Fimin is an accomplished expert in information security and CEO and co-founder of Netwrix, the #1 provider of change and configuration auditing solutions. Netwrix delivers complete visibility into who did what, when, and where across the entire IT infrastructure.
To communicate the risks of file sharing and cloud storage to employees, companies should...
I believe companies should make more effort to raise awareness about simple security and privacy measures among their employees. Even those companies that have some formal policy defining what they expect their employees to do or not do with company assets and data are sometimes in a situation where users do not understand their roles and responsibilities. However, there are steps companies can take today to protect their privacy, and these steps work through helping users realize the importance of these measures, as well as their own roles.
Remember that the success or failure of security policy is often in the hands of your employees. Propagate the internal security policy and organize awareness trainings and regular reminders for users. Your employees need to know their level of responsibility when dealing with sensitive data and know what to do in case security violation, e.g., the device is stolen or lost and sensitive data is compromised. However, the main rule here is to trust but verify. You may choose to monitor user accounts with extended privileges and publish anonymous reports on their activity, which is a good method to force staff members control their actions. To be successful, identify someone who will be directly responsible for staff education, and make regular trainings a part of your internal security policy.
As an experienced information security professional, Fred Menge formed Magnir Group in 2006 after serving in a variety of technical and managerial positions in industries including energy, government, travel, and technology.
Fred's core experience includes areas of information security, records management, and cloud computing. He is an expert at developing records management programs, record retention policies, and conducting operational audits. In addition, he has experience with cloud computing and performs security audits. Fred holds credentials as a Certified Information Systems Auditor (CISA) and a Certified Information Security Management (CISM).
Fred is a member of the Association of Records Management and Administrators (ARMA), a member with the Northeast Oklahoma Information Systems Audit and Control Association (ISACA), and an adjunct faculty member with Oklahoma State University.
To mitigate the risks of file sharing and cloud storage use by employees, I recommend that companies...
In order to reduce the risks of employee use of cloud storage, organizations should have a cloud storage strategy in place. As a minimum, the cloud strategy should include a company-approved cloud storage provider such as Google Docs, Amazon, or Dropbox. The company should evaluate the cloud provider and ensure the provider has the minimal security controls in place such as password abilities, the ability to retrieve company documents should the employee leave the company, and other means for the company to manage and control ownership of its own data. The company should then communicate their expectations to employees on the use of cloud storage of company data. For example, communicate that we use Google Docs and the employee must use strong password credentials and never share files with unauthorized persons. Another suggestion is to classify the documents that are stored in cloud. For example, communicate that that employees can store unclassified and public documents in the cloud, but secret and proprietary documents must be stored on a company-hosted computer. This way, a company is only risking the loss of non-critical documents should there be a data breach.
Chris Bianco is a Business Improvement Specialist and Technology Tactician for small and medium sized businesses who created Blue Panther Business Partners to help business owners see and achieve their goals through the company's friendly practical advice and hands-on assistance. Bianco is also a member of MentorsGuild, which connect businesses to top domain experts and thought leaders across the nation.
Companies wanting to effectively communicate the data security risks associated with file sharing and cloud storage services to employees can do so by...
First, let us remove the technology component of cloud storage and file sharing. Take the example of a postcard (yes, antiquated technology). On the postcard, you write a pleasantry to be sent to someone else. That postcard is open for all who handle it to see. Do you consider writing very important or private information? Of course not.
File sharing and cloud storage is no different.The file sits on a server outside of your control and anyone who is maintaining the server or anyone who hacks into the server can see your file.
How do you avoid a file being viewed by anyone within its control? The answer is encryption. Encryption manipulates the contents of the file according to a special key or password that only the intended recipient should know. This key should be complex enough that strategic computer power can not quickly generate, test, and eventually crack the key when used by an unintended recipient.
Today, encryption looks like the ideal answer, but then again so does the envelope in the post office. At some point in the near future, today's encryption algorithms will not stand up to the speed of code-generating software and flaws in the encryption concept itself.
Essentially, if you want to protect your data, always keep it in your possession and deliver it directly to your intended recipient.
Alex Markowitz is a Systems Engineer for Chelsea Technologies, a managed IT services firm that provides design, implementation, hosting, and support services to the global financial industry. Alex has over 10 years of IT experience in the financial sector.
To best communicate the security risks of the cloud, such as cloud storage and file sharing, companies should...
To best communicate the security risk of the cloud, we in IT need to bring the risks into the real world. Most IT professionals develop this skill in the first few years of their career, and this should be no different. So let's say our users use iPhones. Have the users take out their iPhone, go to Settings - Privacy - Location Services - System Services - Frequent Locations. What will they see? A record of where they have been, including times and dates! Most users will be shocked, and may feel uncomfortable. Why is this data here? Is it being shared with Apple? For what reason? Who can see this data?
Our private information is being recorded like never before, but that is not necessarily a bad thing. The issue stems when users don't understand the connection between their photos, their emails, their data, and how (and where) this data is stored and transmitted.
As IT professionals, we understand that at the end of the day, it only takes one vulnerability to open the door to all of our user's data, and new vulnerabilities are created and exploited daily. So how do we communicate these realities to our users while achieving the following goals?
1) We DO NOT want to create paranoid users! Paranoid users do not think rationally.
2) We want to create a rational user who understands the cloud enough to take security seriously.
3) We don't necessarily need an overly educated user. Chances are we will just bore our users to death and they will not take data security seriously. So, once again, I want to bring IT into the real world with a day-to-day life metaphor: Most users have at least flirted with the idea of dieting. It is no secret that most diets are not successful; even if we lose the pounds, they usually come back in under a year's time. Instead, the best way to manage our health is a lifestyle change, where we learn how to eat the best foods that we enjoy and satiate us, while also understanding what triggers us to deviate from healthy eating. We use that education to make the right choices every day, but we don't go on some crazy restrictive diet that makes us cranky and crazed. A crazed dieter is no different than our paranoid users who do not think rationally, and are overly reactive to minor threats while ignoring much larger threats. Keep in mind though, a paranoid user is only paranoid because they don't really understand the threat, just an aspect of it.
So we want to create a healthy, well-rounded user. We don't want to scare them (maybe just a little to get their attention), but they need to understand their responsibility. They need to understand that any information on their phone is a button click (if even) from being sent to a server across the globe where they have no ownership of that data. The same is true for any email or file sent to a third-party business or cloud service provider.
That doesn't mean that users cannot use these services, but they need to be aware of what they are sending. They should assume all of their data can be read by someone it is not intended for, so if they are sending data that is truly confidential then they need to be educated on how to encrypt said data. They need to understand that they are responsible for that data and can send/upload it properly.
We teach them to change their workflow to include proper practices, and to understand the risks as well as the benefits of the cloud. Through concise education, we can make users aware of the correct day-to-day decisions they should make to be healthy, confident, and secure cloud users.
Stuart leads product strategy, design, marketing, and client engagement at HighQ. Stuart has a strong background in business strategy and consulting as well as extensive technical and general management experience. Stuart has a diverse background with web technologies and social computing in the professional services industry, having previously worked at leading organisations including Freshfields Bruckhaus Deringer, Hays plc, and Headshift. Stuart has a B.Sc. in Business Administration from Cardiff Business School and a keen interest in the web, social computing, design, and technology in general. In particular, how it can be applied in the enterprise to transform the way we work.
My advice for companies wanting to communicate the risks of file sharing and cloud storage is...
The key to communicating the risks is to clearly provide solutions. Companies
should make sure that they have methods in place to mitigate the risks
associated with file sharing
Jerry LeNeave is the Lead Service Desk Technician and part-time Technical Writer for Golden Tech. He's been engrossed with technology since the age of 5, and when he's not working, he enjoys working more.
The biggest challenge companies face when educating employees about the data security risks of file sharing and cloud storage is...
I think the biggest hurdles to overcome when bringing employees up to speed on the risks associated with cloud storage and file sharing are proximity and plausibility. As a business owner, you're going to want to get the entire office together for a mandatory data security presentation with an data security expert, because sending out an email or putting tips in a newsletter and hoping it gets absorbed isn't going to cut it. During this presentation, potential dangers expressed should be very tangible and you should provide examples of real world consequences that could affect everyone, especially worst-case scenarios. These security risks are often viewed as 'won't happen to us' scenarios, and that's perhaps the most dangerous mindset a company can have when it comes to data security. If businesses have any hope of managing and securing the sensitive data leaving their organization, they need to provide solutions that easily integrate into the daily routines of their employees.
Fahd Khan is the Business Development Manager for the zsah Technology Group. The zsah Technology Group (est. 2002) was born out of a desire to innovate in technology and to develop highly specialised solutions. From inception the zsah teams have lived and breathed the mantra “Exceed Expectations.”
Companies can communicate the data security risks associated with file sharing and cloud storage to employees by...
The cloud and its implementation in businesses is an inevitability, and year after year, more companies are investing in cloud services. However, along with its implementation, companies need to take the responsibility of communicating any file sharing and data security risks that may arise to their employees. There is a misconception that if your company's IT infrastructure is on the cloud, then it is exposed and unsafe; however, this is no different from your in-house server setup, which is also connected and exposed to the internet. The big difference being that Cloud companies invest heavily and far more in their clients' security than most companies invest in themselves. One of the reasons for this is that hosting a company's IT infrastructure on the cloud is their bread and butter, so ensuring and guaranteeing your company's data security is absolutely essential. This, however, does not alleviate a company from its responsibility to communicate to its employees the importance of data security and file sharing and the risks that can be related to it.
The best advice that I would give any company is that they shouldn't simply tell their employees of the various risks in a one-off meeting or email, but should explain why it is important to protect the company's data as well as inform them of potential risks. The ICO (Information Commissioners Office) has been busy issuing hefty fines to companies that are negligent when it comes to the protection of their data and security. All employees should be made aware that having a relaxed attitude towards the company's data security can also have a massively negative effect on a company's reputation. Regular reminders are essential, and I would recommend doing this through email reminders as well as via hands-on training and general demonstrations from time to time. Once successfully and consistently implemented, this can also be used to motivate sales staff to use the company's data protection and security policies as a selling point.
Andrew von Ramin Mapp
Andrew von Ramin Mapp is the founder of Data Analyzers, LLC and Forensic Analyzers LLC. He is also a Data Recovery and Digital forensic expert. Mr. Mapp has an unquestioned expertise in Information Security Systems. Among other professional experiences, he has designed the Disaster Recovery Solution for Fox News New York and New Jersey.
To communicate the risks of file sharing and data storage to employees, I recommend that companies...
Create a company policy. While it can be a challenge for businesses to monitor and prevent all risky employee activity, a business should create a company policy regarding the use of cloud services and file sharing. The policy can outline how company data can and should be accessed, employing best network security practices, such as what can be shared to the cloud and what data is deemed private.
Set up a cloud encryption gateway. The gateway helps business confront cloud security issues by serving as a proxy. It replaces sensitive data with encrypted or tokenized values for storage in the cloud.
Christopher Zybert is the Media Coordinator for New England Document Systems, a New Hampshire based document scanning and management services provider. For over 30 years New England Document Systems has been providing document conversion and storage solutions to businesses across the Northeast.
Companies can effectively communicate the data security risks associated with file sharing and cloud storage by...
Effectively communicating data security risks in cloud storage and file sharing is easily achieved by presenting employees with sample case studies which embody the threat as they pertain to employee positions. By connecting the risks with specific functions, you will be able to effectively communicate these risks as they pertain to an individual. This will not only help exemplify the threats and promote caution, but also provide a realistic example to remind employees that they have skin in the game.
However, one might argue that communicating these risks is not necessary. Rather than invest time and money on training employees in the art of data security, companies should instead focus their efforts on securing their networks/environments, segmenting their networks, and electronically managing their files with the proper software. Unfortunately, human error will always be a threat to data security, especially when it comes to properly (and securely) managing cloud storage and file sharing. However, with the proper preparation, organizations can prepare for the inevitable human mishap - and will be able to stop threats before they reach an employee. Furthermore, risks specifically related to cloud storage and file sharing can be easily averted with the proper software security features. These features might include IP addressing, timed logouts, audit trails, etc.
J Wolfgang Goerlich
J Wolfgang Goerlich is a Cyber Security Strategist with CBI.
To effectively communicate the security risks of file sharing and cloud storage, companies must...
To be effective, communication about data security risks must be a dialogue. With various studies showing 45-60% of employees use consumer-grade file sharing, we cannot assume the use is accidental or malicious. The conversation must begin with learning what leads employees to use these services and where the current alternatives are failing. By listening to the work being performed and the files being exposed, we can discuss the impact should the files be stolen or misappropriated. We can then highlight ways these sites can increase the organization’s risk and work toward implementing secure alternatives. People are working to get their jobs done, and it is incumbent upon us to help them work securely.
Mike Meikle is a Partner at SecureHIM, a security consulting and education company. SecureHIM provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Meikle has worked within the Information Technology and Security fields for over fifteen years. He speaks nationally on Risk Management, Governance and Security topics. Meikle has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine , Los Angeles Times and Chicago Tribune. Meikle holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.
My advice for companies seeking to educate employees about the data security risks of file sharing and cloud storage is...
To answer your question, employees need to understand the risks when using consumer-grade cloud storage and file sharing applications. This is best covered in an effective enterprise security training, education, and awareness (TEA) program. In order for the training to be effective, the enterprise leadership would have to have made a significant investment in time, money, dollars, and executive support in the initiative. Unfortunately, the reality in today’s corporate environment for most security training is a canned webinar held yearly that employees rapidly click through or a deck of PowerPoint slides in small font narrated by a non-engaging speaker for an hour. Adding to the risk of cloud storage and file sharing technologies is mobile devices. Often these devices store or access, via the cloud, unencrypted emails, chat, and photos, which are at risk for theft or compromise. When the device is lost, which happens often, then this information could be extracted. Having the right controls (technical and risk management) for your enterprise mobile device and cloud infrastructure is key.
Ryan Satterfield is an Information Security Auditor and Founder of the security company Planet Zuda.
To communicate the security risks associated with cloud storage and file sharing, I recommend...
It's extremely important for customers to know what the cloud actually is. I know one person who thought the cloud was a satellite where all the information was stored. This is due to companies not explaining what the buzz-word means. The easiest way to explain the cloud and file sharing is to ask the person: Would you want anyone to see that? You've completely relinquished most of your control over that information.
A cloud is actually a good way to describe many cloud services, because some of them, including more popular ones, pour data that customers believe is private onto the web for anyone to find via a refined Google search called a Google dork. When I show people their data is publicly available, then they freak out and realize the consequences of trusting someone else to hold onto your belongings.
It is important to add that there are some good cloud companies and the issue of leaking data isn't specific just to cloud or file sharing platforms. This is an issue on which consumers should be speaking up and saying, "We pay you to keep our data private, not to have it indexed by Google!" Also, I am not trying to pick on Google, since any search engine can index this data. Google has actually made several changes to their search engine to avoid indexing some very sensitive info we contacted them about, such as cameras that are supposed to be private.
Jibey Asthappan is an Assistant Professor of Criminal Justice at The University of New Haven. He provides undergraduate and graduate level education to students interested in pursuing careers in the Department of Defense and other government agencies. His expertise in policy analysis and program evaluation has produced scholarly literature on the effectiveness of counter-terrorism policy. His unique background allows him to integrate the often disconnected perspectives of academicians and practitioners.
Companies that want to communicate the security risks of file sharing and cloud storage should...
Firms need to discuss with employees how cloud storage works and what property rights are augmented when cloud storage is used. In addition, security used for each host should be reviewed and the potential for the information to be spied on, obtained, or manipulated should be investigated. Cloud storage is a low-cost and reliable alternative to local storage, but the risks of such storage cannot be in any way unclear to users.
Paul Hill is a senior consultant at SystemExperts.
The best way to communicate the security risks of file sharing and cloud storage is...
All companies should have a security awareness training program in place to provide ongoing and recurring training of security-related issues to all employees. Some companies perform this by sending monthly emails, others require physical attendance at presentations, while the rest provide online video with post presentation evaluations.
All companies should also have an acceptable use policy (AUP) that covers a wide range of topics. Traditionally, AUPs have covered acceptable use of email and personal use of company computer systems. In recent years, most companies have updated AUPs to address such topics as social media, use of personally owned smart phones, tablets, the use of cloud storage, and file sharing services.
While all companies should also have a data classification and data handling policy, the reality is that fewer companies have such a policy in place. A data handling policy should tell users where they are allowed to store different types of company data, what protections are required, and what authorizations are necessary to use unlisted alternatives.
Good security awareness programs usually leverage recent incidents from around the world that have attracted media coverage. In 2014, a number of private images of celebrities were posted to the 4chan site. In at least one case, a celebrity had deleted the image from the phone before the image was stolen, but the image did not get automatically deleted from the cloud. It was determined that the photos had been stolen from the Apple iCloud system. Apple later confirmed that the images had come from iCloud, but that user accounts had been compromised rather than due to any specific security vulnerability in the iCloud service itself.
Using this type of example in a timely manner, as part of security awareness, training can be very effective. It may get employees asking questions and checking their configurations. When using these types of examples, they should serve as a starting point. The training should lead employees through thinking about the potential impact if corporate data was stored on the same or similar system.
Another example that could be used during security awareness training is Dropbox, a very popular file sharing service. More than 2 years ago, Dropbox had a brief period of time during which anyone could access any file stored by Dropbox just by knowing the correct URL. That was a temporary situation, but it could have had devastating impact on companies if employees had stored sensitive data on Dropbox and it had been disclosed. It demonstrates the loss of user control when using these services. Users of these services are entirely dependent on the capabilities, competencies, and corporate goals of the third-party provider.
One of the biggest problems is that without training, employees often may not know where their data is being stored. Many mobile phone apps provide tight integration with a variety of cloud-based storage systems. In many cases, the app vendor, or phone vendor, may not provide adequate information to the users to make them aware of where the data is stored, who may access the data, how long it may be retained, or the security controls in place to protect the information.
Making employees aware of the risks and getting them to ask relevant questions is a critical component of good security.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business