The oversharing economy: how collaboration increases digital risk

Jul 25, 2018
oversharing-economy-how-collaboration-increases-digital-risk-OG

So you’ve heard of the sharing economy. You know, the business model based on sharing access to goods amongst peers pioneered by AirBnb, Uber and Velib. This model offers numerous benefits for society, from democratizing markets - and driving down prices in the process - to maximizing the useability of assets, and even adding a more human touch to transactions. 

Have you ever stopped to think that we are also living in a data-sharing economy? Digitization and the evolution of information technology allows us to share information more freely and more rapidly. In a business context, the number of parties with whom we share this information has also risen. In the US, companies are interacting with an average of 1,500 third parties on top of their employees. This includes suppliers, contractors, consultants and partners. 


The risks behind the data-sharing economy 


As with the sharing economy, the data-sharing economy has greatly enhanced the way we do business. And yet, our capacity to share information freely and instantly has also undoubtedly increased the risk of data breach. When you are sharing lots of information, the opportunity for free-floating data to escape naturally rises. And when this data becomes shared outside the company perimeter, amongst increasingly complex networks of third-parties, this risk of sensitive information falling into the wrong hands can only grow. 

Several other factors have acted to increase the risk even further. The market’s appetite for information sharing means that information technology is often designed for shareability rather than strength of security. For example, the recent proliferation of internet-connected storage devices, and their questionable security configuration, have become the thorn in the side of InfoSec departments the world over. What’s more, although companies have learned to effectively collaborate with third-parties, they haven’t yet learned how to effectively enforce the same security standards on suppliers as they do internally. According to the Accenture 2018 State of cyber resilience report, 36 percent of organizations do not apply the same—or higher—cybersecurity standards to their extended partner ecosystems as they do within their own business. 

Are we living in a data-sharing economy, or are we living in an oversharing economy? 


The oversharing economy: a rise in accidental data breaches 


According to the Ponemon Institute, there is a rise in the incidence of accidental data breaches. In their 2017 Cost of Data Breach study, they reported that 53 percent of leaks are accidental. These breaches distinguish themselves from malevolent breaches, where data is deliberately extracted by threat actors such as cyber criminals or insider employees. 

In contrast, an accidental data breach is caused either by a system glitch, or by the negligence of an otherwise well-meaning actor, like an employee working from home who backs up sensitive documents onto their unprotected NAS drive; or a contractor who stores sensitive data on an unprotected server. These are precisely the sort of data breaches that have their origins in the oversharing economy. 


The rise of third-party breaches 


At the same time, there is a rise in accidental data breaches occasioned specifically by third-parties. For example, in 2017 an external Customer Service Call facilitator of telecommunications company Verizon exposed the customer records of six million clients on an unprotected Amazon S3 storage bucket. This included customer’s names, mobile numbers and account PIN, along with their home address, email address, and their Verizon account balance. In another incident which took place the same year, a Lieutenant Colonel of the US Air Force exposed thousands of classified documents on an unprotected NAS backup drive. This included details of over 4,000 officers; details about open investigations; and encryption key recovery instructions for Defense information systems. 

It is no surprise that accidental data breaches are now more prominent than malevolent leaks, when the oversharing economy leaves so much room for error. 


Ensuring data security in the oversharing economy 


So does this mean we need to stop collaborating in order to ensure data security? When it comes to navigating the oversharing economy, there are a range of approaches you can take: 

  1. Eliminate information sharing 
  2. Banning backup devices 
  3. Enforcing passwords 
  4. Constantly monitoring for leaks

As you can see, the surer the measure, the more severe the repercussions. Eliminating information sharing, or banning backup devices would certainly eliminate the potential for data leaks, but no one would ever do this as it is totally at odds with collaboration. Banning backup devices would also but at odds with a company’s information security. How would a company recover, for example, following a ransomware attack, a power outage, or a physical malfunction? 

In order to balance data security with free-flowing information we need a more balanced approach. Should we wish to embrace the potential of the information sharing and collaboration (and we really should!), then we need to accept that data leaks are inevitable. In addition to the classic measures designed to reinforce the security of our internal networks, companies need to start proactive action in terms of data leak monitoring. Receiving alerts about leaks as soon as they occur allows companies to act straight away. This puts them on the front foot when the inevitable occurs, and also helps to minimize the damage by shortening remediation time. 

Just like the sharing economy, the so-called “data-sharing economy” has brought numerous benefits to the professional world. However the gains we have made in terms of collaboration have been at the expense of the securability of our data. But that doesn’t mean we need to work against the trend. With the right blend of flexibility and threat intelligence, companies will be free to embrace the “data-sharing economy” without threatening their precious information.