Content asset protection: How to combat the ‘inside job’

The Target and Home Depot data breaches highlight the need content asset protection from external threats. But what about threats from an 'inside job'?

Target. Home Depot. Premera Blue Cross. Anthem.

The list of companies beset by high-visibility breaches of information security is long and getting longer. But even as these incidents highlight the need to defend your content assets from unauthorized outside access, it's equally critical to protect those assets from within a company's four walls as well.

Protecting information assets from threats on the inside don't always involve, say, a disgruntled employee who wants to do the organization harm (although that does happen). More often, in fact, day-to-day operations lead to inadvertent consequences and enterprise data security issues.

Case in point: Shared-drive shenanigans

For example, many companies assign their employees space on a shared drive to store their documents. Even if the drive is insulated from outside attack by a strong firewall and a hardened network, the directories on it often may not even be password-protected. This means that anyone in any department can see a lot of information they probably shouldn't, and can repurpose it in ways they probably oughtn't (e.g., "I'll just use Fred's old contract as a template for the new one I'm writing.").

It's time to start thinking beyond keeping outsiders out of your content and focus more on bringing your insiders to heel.

Other problems stem from the creation of duplicate files when, say, everybody on the "To:" line of a group email saves an attached document to his or her own directory. Because anyone who received the document can then forward it to others they think should have it too, the organization can quickly lose sight of who's using it and for what purpose, and thus can't ensure the most recent and accurate version is the one in circulation.

Use technology to align permissions with roles

Compliance officers, records managers and information professionals of any proficiency know full well that the scenario just painted -- and others like it -- opens the door to all kinds of enterprise data security risks: process inefficiencies that can diminish profits, monetary fines stemming from privacy violations that contravene any number of regulations and perhaps even incarceration of key executives who have knowingly taken content security shortcuts. So there is no lack of motivation for organizations solve the problem.

Happily, there is a good deal of technology whose ability to solve the problem has been proven, and some of the more interesting options enable fairly granular control of content access.

Most any solution worth its salt will allow you to lock people out on a repository level. ("Not in accounting? Then you can't get into this system.") But as you go up the scale of technical sophistication, you'll find you can restrict access to specific directories in the repository, or to individual documents in a directory, or even to particular sections of a document.

While this means you can precisely target who gets access to what, doing so requires that you fully understand who plays what role in the company. Otherwise, you can't determine which bits of content people are allowed to see, manipulate, and/or share -- and how to amend or revoke those permissions should they change positions or exit the company.

Managing inside jobs

The need for enterprise data security to protect content assets from the inside-out is surprisingly common. According to cybersecurity company BeyondTrust, nearly half of respondents to a survey admitted "they have employees with access rights not necessary to their current role, [and] more than one out of four companies indicated they have no controls in place to manage privileged access."

If yours is among this 25% of companies, it's time to start thinking beyond keeping outsiders out of your content and focus more on bringing your insiders to heel -- whether or not they have evil-doing in mind.

Next Steps

Going paperless can better secure your data assets

Security Controls Move to Information Assets

Cloud File Sharing Protects Enterprise Information – and Human Rights


Dig Deeper on Information governance management