It Takes a Village – and a Lot of Time – to Manage Data Security and Compliance

For security teams, sensitive content is generally at the centre of what they need to protect in their corporate IT systems. Yet, it is often easier said than done. Only 11% of respondents to a recent survey said that no improvement is needed in their management of content security. 

Many of the challenges to a modern business – security issues, including data breaches, and compliance – are exacerbated by the complexity of operational processes commonplace today. Between a proliferation of communication tools and the inability of many organisations to get rid of manual processes, it is inevitable that security and compliance problems will slip through the cracks. So, what need to be done to ease the pressure?

Third-party multiplication and risk 

Most organisations exchange large volumes of sensitive data during daily business with hundreds and often thousands of third parties. Because of this, third-party risk has never been higher for organisations in all industries. The necessity of exchanging sensitive content only accentuates the threat. 

When businesses were asked to estimate how many third-party individuals receive sensitive content from their companies, two-thirds (66%) estimated more than 1,000. Among the largest enterprises with more than 30,001 employees, 33% exchange content with more than 5,000 third parties. Let that sink in.

Once sensitive content leaves an organisation, four-in-ten (39%) indicate they are unable to track and control access to 50% or less. Companies here in EMEA in particular find it challenging, with 46% admitting they lose the ability to track and control access to 50% or less of sensitive content once it leaves their organisation. 

Comparison of data breach occurrence with the number of third parties with which organisations exchange sensitive content shows significantly higher risk. For example, over a third (35%) of those reporting they exchange sensitive content with over 5,000 third parties experienced more than 10 data breaches last year. Further, almost half (47%) of those exchanging sensitive content with 2,500 to 4,999 third parties experienced over seven data breaches. The same is true in terms of litigation costs. Bigger is certainly not better. For those exchanging sensitive data with 5,000 or more third parties, half spent over $5 million in litigation costs. In fact, 44% of those exchanging sensitive content with 2,500 to 4,999 third parties also spent over $5 million.

Proliferation of communication tools and risk

A proliferation of communication tools exists when it comes to sending and sharing sensitive content: email, file sharing, managed file transfer, SFTP, web forms, and the like. It is a problem of our own making. Moves to mitigate risks, reduce costs, and improve operational efficiency appear to have resulted in a drive to consolidate content communication tools. 

Cross-analysis pinpoints that, perhaps unsurprisingly, organisations with a higher rate of data breaches use the most communication tools. A third (32%) of organisations with 10 or more data breaches have more than seven communication tools. Almost half (48%) of those with six communication tools experienced seven to nine data breaches. These numbers are dramatically higher than the average number of data breaches across all respondents. Only 9% reported 10 data breaches and only 23% reported seven to nine data breaches. This equates to a rate of 3.55x more for those with 10 or more communication tools and 2x higher rate for those with seven to nine communication tools. The same is true when it comes to the amount organisations pay in data breach litigation costs: 26% of those that reported paying over $7 million last year have over seven communication tools (3.25x higher than the norm of 8%).

A critical need

There is clearly a critical need for organisations to take proactive measures in safeguarding their sensitive content. A good place to start is to consolidate communication tools onto a single platform. It is proven that organisations with fewer communication tools experience fewer breaches. By reducing the number of disparate tools used for content communication, organisations can significantly lower the risk of data breaches and improve operational efficiency.  

There are also, clearly, significant risks associated with sensitive content exchanges with third parties. Put simply, the more third parties with which respondents send and share sensitive content, the more data breaches and higher litigation costs they experience. As a result, it is imperative that organisations ensure they have comprehensive governance tracking and controls as well as advanced security capabilities in place to mitigate third-party risks. 

Don’t delay. Organisations can incur significant legal costs that are often not accounted for in traditional breach cost estimations. Damaged brand reputation, lost revenue, and disrupted operations are only one aspect resulting from data breaches. Compliance fines and penalties as well as extended litigation costs can have a long-tail effect felt over extended time frames. Because of this, it is important to select sensitive content communication tools that adhere to security standards like FedRAMP, ISO 27001, SOC 2 Type II, NIST CSF 2.0, and others.