If you weren’t already worried about the security of your company’s internal memos and other documents, the recent Sony hack probably fixed that (and reinforced the message that if you don’t want egg on your face, you shouldn’t write embarrassing emails).
Here’s the thing: Security is hard, and as we’ve heard over and over, it requires a mix of technologies from different providers, constant vigilance and good end-user practices to safeguard a company’s crown jewels.
Thanks to widely publicized breaches at Target, Home Depot and — yes — [company]Sony[/company], companies are reconsidering their security practices, according to a new research note from Nomura Securities analyst Frederick Grieb. That means more budget will flow to security next year and also that top-notch Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) with expertise in both relevant technologies and their company’s business and regulatory requirements are in short supply.
Lesson: Add your own security
In that vein, the director of security for a Fortune 100 healthcare provider recently told me that keeping company data and documents secure, requires that companies layer additional security atop whatever cloud storage and file share service is used. These storage vendors may have good marketing statements, but when you drill down, not very good security stories, he said.
Speaking on the condition that neither his or his company’s name be disclosed, he said the issue for a highly regulated company like his is to ensure that a document — whether it’s a PDF file of a doctor’s report or a digital X-ray of a broken arm — is protected not only at both ends (“at rest”) but also in transit (“in motion”).
That’s because the basic problem of the internet is that traffic goes through any number of third parties. “You don’t know and you can’t trust that your file is private — it’s like sending a postcard in the mail — anyone can read it,” he noted.
To address this, his company is deploying fan-favorite Dropbox but is also using a third-party product, nCrypted Cloud, to encrypt files before they’re sent, which leaves the encryption keys in the hands of the customer. The cloud storage provider, whether it’s [company]Dropbox[/company] or Box or Google Drive or Microsoft OneDrive does not hold those keys and cannot access the files or disclose them to third parties. (Neither does nCrypted Cloud, which competes with WatchDox and Sookasa, for that matter),
He’ s also trying out a new nCrypted Cloud product, Infinite Mail, that strips out attachments embedded in messages, and replaces them with secure links that the intended recipient can open as set up by an IT administrator. It supports popular [company]Microsoft[/company] and [company]Google[/company] email products.
If the problem of secure mail can be solved, this security exec sees possibly huge perks down the road. Currently, the cost of printing and mailing reports and benefits documentation is humongous — it can cost a company like his up to $100 million a year. If there is a way to guarantee secure digital delivery of such documents to the right end users, the cost savings could be huge.