Sonny Hashmi, profile picture
Uploaded bySonny Hashmi
PPTX, PDF765 views

Securing your digital world cybersecurity for sb es

This document provides recommendations for small businesses to improve cyber security. It discusses how (1) changing the conversation with end users to be more empathetic and focus on usability can improve security, (2) implementing multi-factor authentication and centralized identity management can replace passwords for stronger access control, and (3) leveraging trusted cloud solutions allows businesses to benefit from economies of scale for security compliance. It also recommends (4) making endpoints as minimal as possible by storing all data in the cloud and browser, and (5) recentralizing content to eliminate silos and enforce consistent policies. The document emphasizes that security should not get in the way of productivity and usability.

Embed presentation

Downloaded 15 times
1 Securing your Digital World Cyber Security for Small Business Enterprises Sonny Hashmi Managing Director, Global Public Sector, Box
The Small Business Technology Coalition Box is proud to be a founding member of the "Small Business Technology Coalition" established by the US Small Business Administration (SBA), a partnership of private sector technology companies, committed to the success of small businesses across America. We are excited to offer technology expertise and knowledge, as well as a starter set of tools to members of the small business community. List of Upcoming Events (https://www.sba.gov/techcoalition/events) SBA's participation in this cosponsored activity is not an endorsement of the views, opinions, products or services of any cosponsor or other person or entity. All SBA programs and services are extended to the public on a nondiscriminatory basis. Cosponsorship Authorization #16-3010-67 & #16-3010-99.
Cyber-security challenges are escalating
Cyber-security is a top priority for leaders
Some numbers to get you thinking… • End users are perceived as the single weakest link in security infrastructure by 95% of IT pros • Security is considered more important (and therefore supercedes) than convenience in 63% of organizations • 54% of security breaches caused by human error • $3.8M average cost of a data breach to a company’s bottom line • 43% of teams and departments acknowledge using cloud services in companies that forbid cloud use (or have no plans to use cloud) • Average company CIO acknowledges using 6-8 cloud services • Average company actually uses 45-50 cloud services, some over 200!
SpiceWorks voice of IT for SMB priorities
9 Cloud services are not the enemy In fact, modern enterprise cloud solutions are generally much more secure than traditional/legacy IT systems
Traditional security model is not sufficient Collaborator Supplier Customer Mobile Social Rich Media Collaboration Context Workflow Location
Modern Enterprise Security Challenges Email attachments FTP Mailing CDs / USBs Duplication of files Use of online apps Smart people / dumb actions Organized Crime State / Corporate Espionage INSECURE COLLABORATION DATA PROLIFERATION HUMAN NATURE 49 file sharing services are used on average in a single company. - Skyhigh Networks study of 250 companies – Q1 2015 Cloud Adoption Report 54% of security breaches are due to human error. - CompTIA study 2012 58% of senior managers have sent sensitive information to the wrong person. - CSO Magazine, Study by Stroz Friedberg Stolen devices Lost devices Insecure back ups 4.3% of phones used by or issued to employees are lost or stolen annually. - McAfee and Ponemon Study INSECURE DEVICES
The Unstructured content challenge • Includes financial transactions, billing information, and inventory • Typically resides in systems of records designed to handle specific types of information • Typically managed through system access controls • Limited need to collaborate with internal and external parties • Lots of industry maturity around securing such data • Includes every type of corporate information including employee records, invoices, contracts, strategy documents, forecasts, intellectual property, etc. • Tends to be “all over the place” among systems, laptops, email attachments, thumb drives • Highly collaborative in nature (working drafts, reviews, signatures, etc.) • Usually no “system of record” • Low industry maturity and best practices Structured data Unstructured content
13 No one comes to work excited about spending all day complying with IT security policies 99.9% of employees just want to do a good job, and feel that onerous IT policies get in their way of being effective IT security must be designed to be seamless to the end user, or it simply wont work (e.g. iPhone TouchID login) Burdensome policies and onerous restrictions just encourages people to “go around the system” thereby making things less secure
14 5 things business leaders should consider to keep their digital information secure, and protect their companies
1. Change the conversation with end users Empathize: Start with human experiences and needs • Understand the day to day pain points and points of friction in users’ daily work • Strategize to reduce the number of end points and silos users have to navigate • Automate decisions around where content and data should live so users don’t have to Question Assumptions and Re-think approaches • Instead of trying to block unsanctioned usage, learn and deliver solutions that users need so they don’t have to go around policies • Instead of mandating users not use untrusted devices, find ways to keep identities and data secure on any device the user chooses to use Seek Simplicity as a design principle for your IT environment • Use technologies that put user centricity and design first, to make users’ work simpler • Automate ancillary tasks such as versioning, retention, notifications, search and compliance through smart defaults and policy enforcement • Give end users as much autonomy as possible, while maintaining visibility at the enterprise level, setting “guard rails” for accepted behaviors
2. Kill the password through better access management Centralize identities for you enterprise users • Think about internal AND external users who need to work together to run your business • Establish identity and access management policies – How do internal people authenticate to your systems? What about external users? • Implement a centralized identity management system where policies are implemented and user identities “live” – Modern cloud technologies offer many cost effective options. Implement multi-factor authentication (MFA) • Integrate your IDM with all critical business systems and content stores • Require one, simple, trusted MFA process for access to all corporate data • Think about all access scenarios including access from your corporate network and outside it Periodically audit and clean up your identities • Automate rules around auto-account lockout after period of inactivity • Tie user identities with your HR system of record to automatically provision and de-provision accounts • Perform periodic audits of account activity, user behavior, and clean up as you go • Use automated policies in your systems and tools to flag anomalous behavior
3. Let the cloud do the heavy lifting for you Identify trusted enterprise cloud solutions for your IT environment • Leverage Gartner, Forrester and others to understand company landscape for each area of enterprise IT you need to solve for (HR, CRM, IDM, ERP, ECM, etc.) • Ask tough question, do pilots, talk to other customers • Buy platforms, not tools or solutions. Your IT environment should comprise of a set of trusted platforms that work together. • Require and review how your cloud providers meet your security expectations Leverage economies of scale for compliance • Leverage the investments cloud service providers have made to achieve HIPAA, FINRA, PCI, FedRAMP, etc. to bring your environment into compliance • Leverage the scalability and cost effectiveness to reduce internal complexities and cost • Scale up or down as your business demands without having to invest capital, while ensuring your data is private, secure and safeguarded. Continuously monitor your cloud environment • Require complete transparency from your providers into all user activities, logs and event notifications.
4. Make the end points as dumb as possible Move all data out of your end points by using browser-based cloud solutions • Reduce the risk associated with end points getting breached, lost or stolen, by ensuring no data sits on them (laptops or mobile) • Keep all data in the cloud, accessible and used within the browser, protected through MFA • Invest in cloud based end point management tools to enforce policies on which applications are allowed, and what data can be stored and how Get rid of thick clients, move to the browser • Managing thick clients open up numerous security challenges (patching, upgrades, etc.). Actively work to eliminate thick clients and end point software from your environment • Require that your enterprise software vendors can support 100% of offered functionality in the browser and on mobile devices without additional plugins and specialized toolkits • Train your employees to keep their data in the browser, access from anywhere, but resist the urge to download data to their local machines Use technologies that work together in the browser • Expect the technologies you select to work with others to provide end-end business workflows in the browser (e.g. create a document in O365, collaborate in Box, and sign with DocuSign in the browser)
5. Re-centralize to get a handle on unstructured content Develop a content strategy for your organization • Figure out where your corporate content should sit, who owns it, how long you should keep it, who gets to access it, and how such decisions are made • Ensure users at all level are aware of, and understand the corporate content policy • Use user centered design approaches to make sure the policy strikes the right balance between security and productivity Move your corporate content into one trusted place • Actively eliminate silos where content resides (Network File stores, email attachments, FTP servers, DVDs, Tape backups, laptop hard drives, etc.) • Select and deploy a content platform that meets stringent content lifecycle security and compliance requirements, but allows users to collaborate, access and work on their content from anywhere • Migrate content from the various silos into the new content platform, and assign security rights, metadata and retention policies. Automate content policy enforcement • Implement automated content policies that establish “guard rails” for users, without unnecessarily getting in their way of doing day to day work.
Additional resources 1. Applying Design thinking to Enterprise Security – White Paper 2. Info-graphic – Design thinking and enterprise security 3. Secure File Sharing Basics – What every file sharing provide should have 4. De-criminalize your colleagues – How to address shadow IT in the enterprise 5. Secure Collaboration Primer – The Perils of Email attachments 6. Redefining Content Security – White Paper 7. Enterprise Trends – Cyber security in the cloud – Info-graphic
21 Thank you Questions sonny@box.com

More Related Content

PPTX
An Introduction on Design and Implementation on BYOD and Mobile Security
bySina Manavi
 
PPTX
Security For Business: Are You And Your Customers Safe
bywoodsy01
 
PDF
3 ways to secure your law firm’s information and reputation
byNikec Solutions
 
PDF
En msft-scrty-cntnt-e book-protectyourdata
byOnline Business
 
PDF
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
PDF
The Three Critical Steps for Effective BYOD Management
byKaseya
 
PDF
5 Essential Tips for Creating An Effective BYOD Policy
byKaseya
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
An Introduction on Design and Implementation on BYOD and Mobile Security
bySina Manavi
 
Security For Business: Are You And Your Customers Safe
bywoodsy01
 
3 ways to secure your law firm’s information and reputation
byNikec Solutions
 
En msft-scrty-cntnt-e book-protectyourdata
byOnline Business
 
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
The Three Critical Steps for Effective BYOD Management
byKaseya
 
5 Essential Tips for Creating An Effective BYOD Policy
byKaseya
 
Extending security in the cloud network box - v4
byValencell, Inc.
 

What's hot

ODP
Byod
byAsifulla Azad
 
PPTX
BYOD (Bring Your Own Device) Risks And Benefits
byModis
 
PDF
Information Security It's All About Compliance
byDinesh O Bareja
 
PPTX
BYOD
byNeeraj Muduli
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PDF
Bring Your Own Device (BYOD)
byMurray Security Services
 
PPTX
Bring Your Own Device (BYOD)
byk33a
 
PDF
Security Awareness
byDinesh O Bareja
 
PPT
Information security.pptx
byVeer Rengu korku Govt. College Khaknar
 
PDF
Bring your own device
byC/D/H Technology Consultants
 
PDF
08 pdf show-239
by#TheFraudTube
 
PDF
Jms secure data presentation
byJMS Secure Data
 
PPTX
BREACHED: Data Centric Security for SAP
byUL Transaction Security
 
PDF
Classification-HowToBoostInformationProtection
byGianmarco Ferri
 
PDF
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
byEQS Group
 
PDF
7.5 steps to overlaying byod & iot
byCaston Thomas
 
PDF
M&A security - E-crime Congress 2017
byEQS Group
 
PPTX
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
PDF
An Empirical Study on Information Security
byijtsrd
 
PPTX
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
Byod
byAsifulla Azad
 
BYOD (Bring Your Own Device) Risks And Benefits
byModis
 
Information Security It's All About Compliance
byDinesh O Bareja
 
BYOD
byNeeraj Muduli
 
Security Awareness Training
byDaniel P Wallace
 
Bring Your Own Device (BYOD)
byMurray Security Services
 
Bring Your Own Device (BYOD)
byk33a
 
Security Awareness
byDinesh O Bareja
 
Information security.pptx
byVeer Rengu korku Govt. College Khaknar
 
Bring your own device
byC/D/H Technology Consultants
 
08 pdf show-239
by#TheFraudTube
 
Jms secure data presentation
byJMS Secure Data
 
BREACHED: Data Centric Security for SAP
byUL Transaction Security
 
Classification-HowToBoostInformationProtection
byGianmarco Ferri
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
byEQS Group
 
7.5 steps to overlaying byod & iot
byCaston Thomas
 
M&A security - E-crime Congress 2017
byEQS Group
 
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
An Empirical Study on Information Security
byijtsrd
 
Leveraging Identity to Manage Change and Complexity
byNetIQ
 

Viewers also liked

PPTX
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
PDF
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
byDavid J Rosenthal
 
PDF
12 Days of Productivity
byRedbooth
 
PPT
Disaster Recovery & Data Backup Strategies
bySpiceworks
 
PDF
The Rise of Data Breaches in Small Businesses
byFirst American Payment Systems
 
PDF
Robbery Prevention for Small Businesses
byFundera
 
PPTX
Information security and protecting your business
byBizSmart Select
 
PPTX
5 Step Data Security Plan for Small Businesses
byWilkins Consulting, LLC
 
PDF
Security Guide For Small Business
byBrendanRose
 
PPTX
5 Network Security Threats Facing Businesses Today
byVelocity Network Solutions
 
PPTX
7 Small Business Security Tips
byInfusionsoft
 
PPTX
Will Your Business Get Hacked - Hull (Apr 28)
byHBP Systems Ltd
 
PDF
Small Business Technology Challenges
byInfinity Technologies
 
PPSX
Big Data for Small Businesses
byVivastream
 
PDF
Security Bootcamp for Startups and Small Businesses
byAlison Gianotto
 
DOCX
Certificate of Completion- Data Privacy and Security
byLatha Menon
 
PPTX
Small business data security
byDavid Usher
 
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
byDavid J Rosenthal
 
12 Days of Productivity
byRedbooth
 
Disaster Recovery & Data Backup Strategies
bySpiceworks
 
The Rise of Data Breaches in Small Businesses
byFirst American Payment Systems
 
Robbery Prevention for Small Businesses
byFundera
 
Information security and protecting your business
byBizSmart Select
 
5 Step Data Security Plan for Small Businesses
byWilkins Consulting, LLC
 
Security Guide For Small Business
byBrendanRose
 
5 Network Security Threats Facing Businesses Today
byVelocity Network Solutions
 
7 Small Business Security Tips
byInfusionsoft
 
Will Your Business Get Hacked - Hull (Apr 28)
byHBP Systems Ltd
 
Small Business Technology Challenges
byInfinity Technologies
 
Big Data for Small Businesses
byVivastream
 
Security Bootcamp for Startups and Small Businesses
byAlison Gianotto
 
Certificate of Completion- Data Privacy and Security
byLatha Menon
 
Small business data security
byDavid Usher
 

Similar to Securing your digital world cybersecurity for sb es

PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
110307 cloud security requirements gourley
byGovCloud Network
 
PDF
Azstec cyber-security-workbook
byYulia Dianova
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byfoxyyhqlcu515
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byosikalopex47
 
PDF
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
PPTX
Presentation 10.pptx
bymishogelashvili28
 
PDF
Manage risk by protecting apps, data and usage
byCitrix
 
PPTX
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
byEmpired
 
PDF
New technologies - Amer Haza'a
byFahmi Albaheth
 
PDF
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
PDF
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 
PDF
Corona| COVID IT Tactical Security Preparedness: Threat Management
byRedZone Technologies
 
PPTX
Privacies are Coming
byErnest Staats
 
PPSX
Meraj Ahmad - Information security in a borderless world
bynooralmousa
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PDF
Security Hurts Business - Don't Let It
byPeak 10
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PDF
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
byMicrosoft
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
110307 cloud security requirements gourley
byGovCloud Network
 
Azstec cyber-security-workbook
byYulia Dianova
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byfoxyyhqlcu515
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byosikalopex47
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
Presentation 10.pptx
bymishogelashvili28
 
Manage risk by protecting apps, data and usage
byCitrix
 
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
byEmpired
 
New technologies - Amer Haza'a
byFahmi Albaheth
 
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
byRedZone Technologies
 
Privacies are Coming
byErnest Staats
 
Meraj Ahmad - Information security in a borderless world
bynooralmousa
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Security Hurts Business - Don't Let It
byPeak 10
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
byMicrosoft
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

Securing your digital world cybersecurity for sb es

  • 1.
    1 Securing your DigitalWorld Cyber Security for Small Business Enterprises Sonny Hashmi Managing Director, Global Public Sector, Box
  • 2.
    The Small BusinessTechnology Coalition Box is proud to be a founding member of the "Small Business Technology Coalition" established by the US Small Business Administration (SBA), a partnership of private sector technology companies, committed to the success of small businesses across America. We are excited to offer technology expertise and knowledge, as well as a starter set of tools to members of the small business community. List of Upcoming Events (https://www.sba.gov/techcoalition/events) SBA's participation in this cosponsored activity is not an endorsement of the views, opinions, products or services of any cosponsor or other person or entity. All SBA programs and services are extended to the public on a nondiscriminatory basis. Cosponsorship Authorization #16-3010-67 & #16-3010-99.
  • 3.
  • 4.
    Cyber-security is atop priority for leaders
  • 7.
    Some numbers toget you thinking… • End users are perceived as the single weakest link in security infrastructure by 95% of IT pros • Security is considered more important (and therefore supercedes) than convenience in 63% of organizations • 54% of security breaches caused by human error • $3.8M average cost of a data breach to a company’s bottom line • 43% of teams and departments acknowledge using cloud services in companies that forbid cloud use (or have no plans to use cloud) • Average company CIO acknowledges using 6-8 cloud services • Average company actually uses 45-50 cloud services, some over 200!
  • 8.
    SpiceWorks voice ofIT for SMB priorities
  • 9.
    9 Cloud services arenot the enemy In fact, modern enterprise cloud solutions are generally much more secure than traditional/legacy IT systems
  • 10.
    Traditional security modelis not sufficient Collaborator Supplier Customer Mobile Social Rich Media Collaboration Context Workflow Location
  • 11.
    Modern Enterprise SecurityChallenges Email attachments FTP Mailing CDs / USBs Duplication of files Use of online apps Smart people / dumb actions Organized Crime State / Corporate Espionage INSECURE COLLABORATION DATA PROLIFERATION HUMAN NATURE 49 file sharing services are used on average in a single company. - Skyhigh Networks study of 250 companies – Q1 2015 Cloud Adoption Report 54% of security breaches are due to human error. - CompTIA study 2012 58% of senior managers have sent sensitive information to the wrong person. - CSO Magazine, Study by Stroz Friedberg Stolen devices Lost devices Insecure back ups 4.3% of phones used by or issued to employees are lost or stolen annually. - McAfee and Ponemon Study INSECURE DEVICES
  • 12.
    The Unstructured contentchallenge • Includes financial transactions, billing information, and inventory • Typically resides in systems of records designed to handle specific types of information • Typically managed through system access controls • Limited need to collaborate with internal and external parties • Lots of industry maturity around securing such data • Includes every type of corporate information including employee records, invoices, contracts, strategy documents, forecasts, intellectual property, etc. • Tends to be “all over the place” among systems, laptops, email attachments, thumb drives • Highly collaborative in nature (working drafts, reviews, signatures, etc.) • Usually no “system of record” • Low industry maturity and best practices Structured data Unstructured content
  • 13.
    13 No one comesto work excited about spending all day complying with IT security policies 99.9% of employees just want to do a good job, and feel that onerous IT policies get in their way of being effective IT security must be designed to be seamless to the end user, or it simply wont work (e.g. iPhone TouchID login) Burdensome policies and onerous restrictions just encourages people to “go around the system” thereby making things less secure
  • 14.
    14 5 things businessleaders should consider to keep their digital information secure, and protect their companies
  • 15.
    1. Change theconversation with end users Empathize: Start with human experiences and needs • Understand the day to day pain points and points of friction in users’ daily work • Strategize to reduce the number of end points and silos users have to navigate • Automate decisions around where content and data should live so users don’t have to Question Assumptions and Re-think approaches • Instead of trying to block unsanctioned usage, learn and deliver solutions that users need so they don’t have to go around policies • Instead of mandating users not use untrusted devices, find ways to keep identities and data secure on any device the user chooses to use Seek Simplicity as a design principle for your IT environment • Use technologies that put user centricity and design first, to make users’ work simpler • Automate ancillary tasks such as versioning, retention, notifications, search and compliance through smart defaults and policy enforcement • Give end users as much autonomy as possible, while maintaining visibility at the enterprise level, setting “guard rails” for accepted behaviors
  • 16.
    2. Kill thepassword through better access management Centralize identities for you enterprise users • Think about internal AND external users who need to work together to run your business • Establish identity and access management policies – How do internal people authenticate to your systems? What about external users? • Implement a centralized identity management system where policies are implemented and user identities “live” – Modern cloud technologies offer many cost effective options. Implement multi-factor authentication (MFA) • Integrate your IDM with all critical business systems and content stores • Require one, simple, trusted MFA process for access to all corporate data • Think about all access scenarios including access from your corporate network and outside it Periodically audit and clean up your identities • Automate rules around auto-account lockout after period of inactivity • Tie user identities with your HR system of record to automatically provision and de-provision accounts • Perform periodic audits of account activity, user behavior, and clean up as you go • Use automated policies in your systems and tools to flag anomalous behavior
  • 17.
    3. Let thecloud do the heavy lifting for you Identify trusted enterprise cloud solutions for your IT environment • Leverage Gartner, Forrester and others to understand company landscape for each area of enterprise IT you need to solve for (HR, CRM, IDM, ERP, ECM, etc.) • Ask tough question, do pilots, talk to other customers • Buy platforms, not tools or solutions. Your IT environment should comprise of a set of trusted platforms that work together. • Require and review how your cloud providers meet your security expectations Leverage economies of scale for compliance • Leverage the investments cloud service providers have made to achieve HIPAA, FINRA, PCI, FedRAMP, etc. to bring your environment into compliance • Leverage the scalability and cost effectiveness to reduce internal complexities and cost • Scale up or down as your business demands without having to invest capital, while ensuring your data is private, secure and safeguarded. Continuously monitor your cloud environment • Require complete transparency from your providers into all user activities, logs and event notifications.
  • 18.
    4. Make theend points as dumb as possible Move all data out of your end points by using browser-based cloud solutions • Reduce the risk associated with end points getting breached, lost or stolen, by ensuring no data sits on them (laptops or mobile) • Keep all data in the cloud, accessible and used within the browser, protected through MFA • Invest in cloud based end point management tools to enforce policies on which applications are allowed, and what data can be stored and how Get rid of thick clients, move to the browser • Managing thick clients open up numerous security challenges (patching, upgrades, etc.). Actively work to eliminate thick clients and end point software from your environment • Require that your enterprise software vendors can support 100% of offered functionality in the browser and on mobile devices without additional plugins and specialized toolkits • Train your employees to keep their data in the browser, access from anywhere, but resist the urge to download data to their local machines Use technologies that work together in the browser • Expect the technologies you select to work with others to provide end-end business workflows in the browser (e.g. create a document in O365, collaborate in Box, and sign with DocuSign in the browser)
  • 19.
    5. Re-centralize toget a handle on unstructured content Develop a content strategy for your organization • Figure out where your corporate content should sit, who owns it, how long you should keep it, who gets to access it, and how such decisions are made • Ensure users at all level are aware of, and understand the corporate content policy • Use user centered design approaches to make sure the policy strikes the right balance between security and productivity Move your corporate content into one trusted place • Actively eliminate silos where content resides (Network File stores, email attachments, FTP servers, DVDs, Tape backups, laptop hard drives, etc.) • Select and deploy a content platform that meets stringent content lifecycle security and compliance requirements, but allows users to collaborate, access and work on their content from anywhere • Migrate content from the various silos into the new content platform, and assign security rights, metadata and retention policies. Automate content policy enforcement • Implement automated content policies that establish “guard rails” for users, without unnecessarily getting in their way of doing day to day work.
  • 20.
    Additional resources 1. ApplyingDesign thinking to Enterprise Security – White Paper 2. Info-graphic – Design thinking and enterprise security 3. Secure File Sharing Basics – What every file sharing provide should have 4. De-criminalize your colleagues – How to address shadow IT in the enterprise 5. Secure Collaboration Primer – The Perils of Email attachments 6. Redefining Content Security – White Paper 7. Enterprise Trends – Cyber security in the cloud – Info-graphic
  • 21.

Editor's Notes

  • #11 The traditional model of IT security assumed that all work happened within the enterprise. Therefore, the focus was always on hardening the enterprise perimeter and adding a lot of friction at this perimeter to make it hard to get data out. Within the perimeter, an organization would have its end users, their off line files, end points, and the regular complement of servers, storage, network and content. However, as organizations evolve and grow, maintaining this model does not scale well. As the footprint of the organization grows into large globally diverse, the network boundary gets harder to define. Complicating matters further, Each organization today must work with an ecosystem of external stakeholders, including collaborators, suppliers and customers, deal with new work models, including mobility, social engagement, and management of rich media, and work in new ways, including context awareness, workflow automation, collaboration and location enablement. Each of these new paradigms must work seamlessly between internal users and external partners, making it impossible for IT teams to successfully identify, protect and manage a traditional network “perimeter”
  • #12 Since the rise of the client-server model, IT has steadily moved from a centralized computing model to a highly decentralized one. This shift has dramatically accelerated in the last several years, fueled by mobility, cloud services and service-oriented platforms. Business users have seen great benefits as a result, but now the modern enterprise is burdened with challenges like insecure devices and communications, content sprawl, and the persistent risk of human error. Insecure Devices. The BYOD trend increases device risks. In a company of 100 employees, 4 phones will go missing. Insecure Communication. Senior executives are so busy under a barrage of emails that more than of them have sent sensitive info to the wrong person. Content Proliferation. Cloud applications for file sharing are proliferating. People use them they are simple, overcome limitations of email. Average company has 23 and most of them are insecure – many had grown popular through sharing of copyright content. Great for sharing pictures of cats, but not for business. 759+ cloud apps in an average company. A finally, here is a theme we’ll come back to again and again – security is not only about technology. It’s about people and even the smartest people make mistakes. Over half of breaches are caused by human error. Human Nature. Smart people, well intentioned people still make mistakes. Majority of data breaches are caused by human error. We can’t always prevent people from making mistakes, but we can make mitigation easier. This aren’t just stats, this is the reality that your security has to live with every day.
  • #13 Since the rise of the client-server model, IT has steadily moved from a centralized computing model to a highly decentralized one. This shift has dramatically accelerated in the last several years, fueled by mobility, cloud services and service-oriented platforms. Business users have seen great benefits as a result, but now the modern enterprise is burdened with challenges like insecure devices and communications, content sprawl, and the persistent risk of human error. Insecure Devices. The BYOD trend increases device risks. In a company of 100 employees, 4 phones will go missing. Insecure Communication. Senior executives are so busy under a barrage of emails that more than of them have sent sensitive info to the wrong person. Content Proliferation. Cloud applications for file sharing are proliferating. People use them they are simple, overcome limitations of email. Average company has 23 and most of them are insecure – many had grown popular through sharing of copyright content. Great for sharing pictures of cats, but not for business. 759+ cloud apps in an average company. A finally, here is a theme we’ll come back to again and again – security is not only about technology. It’s about people and even the smartest people make mistakes. Over half of breaches are caused by human error. Human Nature. Smart people, well intentioned people still make mistakes. Majority of data breaches are caused by human error. We can’t always prevent people from making mistakes, but we can make mitigation easier. This aren’t just stats, this is the reality that your security has to live with every day.