As global organizations create ever larger volumes of highly sensitive, confidential and commercially valuable content, how those documents and emails are accessed, collaborated-on and secured in traditional document and content management platforms becomes a business-critical decision.
Professionals in legal, finance, HR and other regulated groups are managing some of the enterprise’s most sensitive information – and are under increasing pressure to ensure that information is not part of a data breach or privacy violation.
The evolving nature of threats now requires a different response. According to Verizon’s 2019 Data Breach Investigations Report, over 70% of security threats continue to originate from compromised credentials – and 32% of breaches involved phishing.
That means that traditional security defenses such as firewalls, malware detection, email filtering and complex password requirements are ineffective in preventing a malicious actor with a compromised set of credentials from accessing enterprise networks and document systems including Content Service Platforms (CSPs).
If the default for new content creation – even at the department or division level – is set at ‘open security’ then a single compromised credential can impact a significant amount of data, with huge ramifications. Every employee, regardless of rank or regional location can become a possible breach source.
Due to these reasons it is imperative that organizations take steps to limit access to highly sensitive content stored in CSPs based on who has a legitimate ‘need-to-know’ (NTK). Each enterprise should secure its own sensitive information on a NTK basis and ensure those in its ‘information supply chain’ also adopt this approach.
As professional service providers face significant risks from storing information from many different clients, they have been the first ones to see this issue at scale and are amongst the early adopters.
The requirement for implementing NTK security can be driven by several factors:
To compound the issue further, staff attrition will drive changes in the underlying policies and the job of managing these overlapping and changing requirements necessitates careful planning, management and execution. The increasing demands of audit by client, government and regulatory bodies will drive this aspect of security to a whole new level of importance – and urgency.
A further consideration of implementing NTK is how it is deployed across systems as the volume of documents grows exponentially.
The changing nature of security threats will drive more and more organizations to limit access to sensitive content in their CSPs and will drive demand for platforms capable of managing security based on sophisticated and overlapping policies, without noticeable degrading of system or IT infrastructure performance.
Need-to-know security is an essential part of protecting sensitive enterprise information against the 70% of attacks that involve compromised credentials. The ability to do so at scale will become a differentiating feature and a must have for enterprise users such as legal, accounting, M&A, finance and R&D to work safely, productively and efficiently.