#Cybersecurity #Digital Transformation #Risk Management

4 Steps To Protecting Your Company’s Crown Jewels

by Dan Schneck

The cornerstone of your business is its data. Think of your data as the crown jewels of your organization. In the past, your crown jewels were stored within the 4 walls of your office, in a server room, or closet. It was simpler to protect the crown jewels when they were stored here because they were located in a centralized office.

Data contained in a centralized office (simple server setup)

Under this model, it was easy to regulate and monitor who could access your data and what software they could use to open it (e.g. Microsoft Word, Excel, PowerPoint, Outlook). Remote access over the internet may have been allowed while traveling or working from home, typically through a software connection called a virtual private network (VPN).

Remote VPN connection to centralized office

As your business has adopted more modern technology and moved its data and infrastructure to cloud platforms like Microsoft 365, the challenges of protecting and securing your company’s crown jewels have become more complex. Today, your distributed virtual office network has employees, customers, vendors, and partners accessing data from anywhere in the world.

Data access in a decentralized cloud

In this new, highly connected business world, a key challenge – especially if you are a small business with fewer resources to spend on IT and cybersecurity – is data governance (managing how your data is accessed, when, and by whom). Without a data governance process, you place your business at risk of data compromise, paying higher insurance premiums, and lawsuits should a data breach occur. In other words, the more connected your business becomes, the more critical it becomes to develop tighter controls and improve your company’s cybersecurity and data governance posture.

The emergence of easy-to-download “apps” (easily downloaded from an app store or marketplace) gives rise to an ecosystem that adds another layer of complexity to the already challenging prospect of controlling access, safeguarding data, and governing how it is used.

Third-party applications (also known as “Enterprise applications” or “Enterprise apps” in Microsoft vernacular) are apps that can register with and connect to your organization’s Microsoft 365 ecosystem to read and write data, including:

  • Exchange: Email and calendar data
  • SharePoint: Documents and site list data (Word, Excel, PowerPoint, PDF, etc.)
  • Azure & Active Directory: User and authentication information (usernames, sensitive user information)

While quick and convenient to download and use, these applications and the individuals who use them pose a risk to your business for two reasons.

Third-party app ecosystem connections

First and foremost, if you don’t control the devices used by the individuals connecting (e.g. direct hire employees), you can’t be certain about their safety. Since they aren’t a part of your internal network, there is no guarantee the devices are up-to-date with antivirus software and protected from (or aren’t already compromised with) cyber threats including malware or spyware.

Secondly, the applications requesting access to your data are unknown entities. Unless you have a process to review and approve the apps and data they need access to, you don’t know how the application will access, transfer, and store your data.

Business risks of allowing unauthorized 3rd party applications to connect to your system include:

  • Cybersecurity threats on unmanaged devices: How do you ensure the users and devices connecting to you cannot inject new bugs, vulnerabilities, and viruses into your technology ecosystem?
  • Unauthorized data transfer and export: How do you guarantee someone isn’t taking vital information like customer lists, your trade secrets, or intellectual property, downloading it, and using it for non-business purposes?
  • Application security: How do you verify that the users and devices that connect to your systems are vetted, authenticated, and won’t bypass security measures you have in place to protect your data?

To keep your crown jewels safe, you need business-level authorization and a review process to access your systems. Here are four steps to help you protect your company and customer data:

  • Identify: Who is requesting access to your system?
  • Justify: Why do they need access to the system? What data do they need to access? When do they need access to it, and for how long?
  • Restrict: Give users access to only what they need when they need it (a.k.a Least privilege access). Set time limits and expiration dates to revoke access automatically.
  • Review: Develop an audit process at regular intervals to review systems and who has access to them.

By incorporating these four simple steps into your business process, you can help safeguard your company’s crown jewels, protect your customers’ data, and reduce your cyber business risk.