Why Their Security Breach Is Actually Your Security Breach

Insights from an Email Content Management & Security Perspective

by Donald R. Hammons & Alexis Panagides

In our collaborative world, strategies to secure the enterprise must consider the sensitive data sent outside our organizations. External breaches become our breach. We're all in it together!

Enterprises and U.S. Public Sector agencies are laser-focused on digital transformation and Future of Work initiatives. The pandemic has accelerated the need for enterprise-wide adoption of cloud-enabled digital-first collaboration solutions. Firms that adopted cloud-based technologies and mobile strategies with any time, from anywhere, and on any-device solutions, have emerged with a favorable position given the challenges we faced in 2020 and now in this new year.

As firms undertake these challenges — to fuel innovation, global collaboration, right-time, right-application, and right-person accessibility to enterprise digital content — one key horizontal theme to this strategy is ensuring enterprise security. Given the cyber-breaches announced in late 2020 within the U.S. Public Sector agencies and breaches that continue to occur by global bad-actors who push malware and ransomware attacks into local, state, and federal agencies as well as non-profits and global firms, security has become a key information technology focus for many CIO and CISO executives.

As organizations consider the supply-chain of security applications available to them, including multi-factor authentication tools, encryption solutions for digital content at rest or in-flight, end-user training, and even perimeter defense solutions, the combination of these efforts are meaningful, impactful, and important. However, an often-overlooked perspective pertains to the most ubiquitous of all IT applications and the #1 security threat vector of attack for all enterprises: email.

Files sent through email are duplicated at multiple stages. Copies are created when emails are stored to redundant email servers and archives, sent to external systems (e.g., CRM), received by the recipients in To, Cc, and Bcc, and when saved to potentially multiple devices.

Enterprise-capable cloud-powered content management platforms offer significant advantages to the enterprises of tomorrow. As companies and agencies take on the challenge of consolidating their digital content strategies, they can inject new and novel approaches towards workflow automation, content retention policy alignments, compliance initiatives for HIPAA, GDPR, PII, and PHI protections, and team collaboration enhancements. These platforms become both a content system of record and a digital content system of engagement — both are powerful considerations. These efforts will move the needle for those firms and accelerate their innovation velocity. These same initiatives will fuel global customer success initiatives and insight captures along with the downstream potential of exploiting novel innovations, including artificial intelligence and machine learning. As such, the Future of Work is going to be nothing short of exciting.

For the most innovative enterprises, achieving these goals will take both strategy and execution. As we dig deeper into these aims, one consideration is to not only build towards our own internal application eco-system of optimization but to consider how our API-powered application architecture can help us accelerate while at the same time not inject security risks into our enterprise. This is especially vital considering the supply-chain of applications and micro-services global organizations rely on at-scale.

When the most foundational of all IT applications (email) is considered, some dissection of the application itself might be explored. Email has both content at rest and content in-flight. For the at-rest component, firms can undertake strategies to protect that content at rest while also harvesting it intelligently to benefit from the same collaboration, content retention, and content security initiatives powered by today’s content management platforms. For the active or in-flight email centric content, further dissection can ensue as a security and collaboration consideration such as how to best handle inbound email and email attachments to fuel or accelerate workflow automation, advance collaboration around email-borne assets, and how to best address the security considerations or risks specific to virus-loaded email attachments. Leveraging perimeter defenses, training our users, using preview capabilities and content quarantine or anomaly detection solutions from leading content platforms can advance these organizations’ cyber-security posture. Extracting valuable email and email content from the email systems themselves in-flight can also create impediments for would-be bad actors as content masked behind content platform URLs with auto-expiring links, and even multi-factor authenticated password protections can create yet another layer of defense for these firms and agencies.

Files shared as links from centralized storage systems, like cloud storage, avoid the dangerous sprawl of uncontrolled content by keeping data in a single, secure system. Beyond security, additional benefits result like significant reductions in storage and network usage.

While organizations deploy these broad-based capabilities to fuel their Future of Work, another security consideration rests outside of our proverbial organizational walls. This consideration is one with the perspective that an outside agency or enterprise’s security breach actually becomes negatively impactful to our own organizations — regardless of the steps we might have taken to ensure our own internal digital content security.

Outbound inter-domain emails that carry attachment payloads cannot represent the best of our efforts to collaborate or to ensure enterprise security. When a single user sends an email outside of our organization with an attachment, there is no sender control around that asset once the send-button is activated. The content is out there. It is replicated on email archives. It is copied, forwarded, misrouted, and the resulting content sprawl does little to fuel single-source-of-truth collaboration around that asset, nor does it bode well for our security initiatives. When that same payload is inclusive of intellectual property, PII, PHI, financial information, HR information, or other sensitive data, the risk of a recipient organization’s security breach, therefore, becomes ‘my’ breach.

Sensitive content sent through email is delivered without security or controls. Breaches at any external recipient make our content vulnerable. By ensuring that content stays under our control in our secure storage systems with only a URL link (that is still under our control) sent through email, we avoid these risks.

We believe that a firm’s most valuable asset, other than its human capital, is, in fact, digital. Digital content and data with its underlying value and insight power is a firm’s most valuable asset. It provides the very framework for how we make strategic decisions. That inherent business intelligence is key to the future success of most organizations. If true, then new and novel ways need to be explored such that external entities with which we collaborate have a frictionless manner of doing so while at the same time not exposing ‘our’ valuable digital content when they have a security breach. By replacing outbound email attachments with auto-expiring cloud content platform URL links and layering in the capabilities for 2FA or multi-factor authentication, organizations can fuel collaboration around those same content assets while ensuring that the threat surface is minimized or eliminated when doing so. Mapping collaboration towards a single source of truth for a digital asset is vital to the Future of Work.

We believe our future is a human-centric, empathy-inclusive, employee diverse, digital, mobile-enabled any device, from any time and from anywhere mindset. After all, it is actually about accelerating our quality of life and expanding the human experience. It’s about finding new and novel ways to do good things for as many people as we possibly can. Finding new ways to achieve these goals with security in mind is a crucial consideration. The Future of Work starts now — and there is a better way forward.