Data leakage is a problem that has hit the headlines around the world. Whether it is the dreaded “sorry this email was meant for someone else” or a lost USB or a malicious act on the part of a disgruntled employee, data leakage is on the rise.
Essentially Data Leakage is when there is an unauthorized transmission of information or data from inside an organization. This can be either a deliberate or accidental release.
The reality is that there are now more channels for communications with external audiences. So, it is more likely that data will leak or there can be breaches.
Email is the most common channel for leakage. In the 2021 Current Status of Privacy Compliance survey by Egress, 44% of employees admitted that they have mistakenly exposed personally identifiable information or business sensitive information over corporate email accounts.
However, leakage over channels like messaging applications like WhatsApp, WeChat, Signal, Telegram and LINE are becoming more likely and more frequent.
Is data leakage a real problem
Yes. 70% of the Egress survey respondents have had some form of data leakage breach in the past five years. Additionally 50% of respondents saw a leak in the past 12 months.
According to IBM’s Cost of a Data Breach Report 2020, the average data breach can cost USD3.86 million and take 280 days to identify. Surveys have indicated that 37% experienced reputational damage or client churn from a breach.
Covid-19 has exacerbated this issue. Research by IBM and Ponemon Institute indicted that workforces that are 100% remote may increase the average cost of a data breach by up to USD137,000.
Why does Data Leak?
This happens for a number of reasons:
Firstly, not all leakage is malicious in intent. In fact, most are accidental. Sending the email to the wrong person, or accidentally sending data or information that you do not have the right to send to an external party are unfortunate realities of every-day life. In other words, without controls to manage and control data that is sent, this is a reality.
Disgruntled/Intentional employee acts
The intentional dissemination of information by an employee to a third part for financial gain or perhaps as revenge.
Phishing, suspicious links or malicious applications – all can lead to unsuspecting employees opening doors for data to leak out through file transfer or access of information on a device or network.
Not just email and USBs
Previously data leakage has predominantly occurred either through email and web tools, or through portable devices like USBs or laptops. However, the increase in hybrid working due to Covid-19 means employees share more conversations and documents over messaging applications like WhatsApp, WeChat, Signal, Telegram and LINE. These conversations have become a new channel that IT Departments must consider in their Data Loss Prevention programs.
What should organizations do?
Realistically, there are five key elements that corporates should consider in a data loss prevention program for messaging applications:
- Restrict classes of documents
The organization must consider a robust process of categorizing documents depending on whether they can be shared internally or externally. Additionally, they should ensure the messaging system that processes the information can recognize these categories. Ideally it should prevent any internal documents from being shared with external parties.
- Hierarchical sharing
In some regulatory jurisdictions there are rules on who can share what information externally. Corporates should consider who has the rights to share information externally and under what circumstances. They need a system that can set these rules in place, manage them and prevent any breaches of these conditions.
- File type
Often enterprise have corporate guidelines about what kinds of files an employee can share with external parties. For example an organization could ban employees from sending video or emojis or photos. The organization needs to decide what file types are appropriate and ensure there is a system to prevent these file types from being shared.
- Role and Geography
Similarly hierarchical role and geography are important considerations. What information can be shared with whom by whom and where? Are there geographic limitations or limitations on project teams who can be in the same chat groups where information is shared? Organizations need a system that can implement not only ethical walls but rules to ensure that information can be shared only with the right people in the right companies in the right geographies.
- Proactive rules, controls and real-time monitoring
The proactive setting of rules and controls around what information can be sent and importantly cannot be sent externally is vital. As is the control of who can send information. Setting these rules in messaging applications is difficult. However, with a platform like LeapXpert’ Federated Messaging Orchestration Platform it is easy and very customizable. Real-time monitoring of messaging conversations is essential. Essentially, the discovery that inappropriate information has been shared after the fact is not helpful. Setting preventive controls and alerts if there is a breach in real-time gives enterprises the chance to not only prevent breaches but to alert IT teams in real-time if a breach occurs.
What is the future?
As more and more employees communicate with customers over messaging applications and with more messaging applications becoming prevalent, organizations need to have appropriate systems in place to ensure that data leakage doesn’t become a problem on these channels.
For instance, LeapXpert’s Federated Messaging Orchestration Platform has robust options for organizations that want to prevent data leakage to unauthorized parties over messaging applications. This includes Data Loss Prevention tools, ethical walls, hierarchical and role based permissions, file restrictions and keyword restrictions.
To discover more about how LeapXpert helps organizations around the world to mitigate data leakage over messaging applications talk to one of our experts
Learn more about the pros and cons of messaging applications for enterprises.
This is the first part of our series on security including malware for mobile messaging applications. Stay tuned!