Enterprises today face significant challenges in managing, governing, and securing corporate data. Data moves and is shared more ubiquitously than we likely recognize. Through the use of large language models (LLMs), shared with third-party vendors, or exposed on the dark web, there are blind spots that hinder the security and IT teams’ visibility into where data resides and how and by whom it’s accessed. Without this crucial visibility, effectively managing data access becomes near impossible. Whether our data is loaded to a LLM or shared with a vendor, it has never been more exposed to risks.
Data governance practices, including classification, mapping, and access controls, are even more challenging with the technologies and applications that modern enterprises rely upon, including data lakes, APIs, and cloud storage. Adding to this operational complexity is the increasing regulation around privacy.
The bottom line is that companies are held to account for how they handle data.
For too many security leaders, data visibility starts with the data breach. Only then are they aware of the data mismanagement within third-party applications that were discovered in the breach. Breach notification is the wrong time to realize that the service agreements with your vendors or partners did not require reasonable security practices over your organization’s data.
When a data breach happens, you often don’t know where it started or the application, vendor, or source involved. Without knowing how and why the data found its way to the Dark Web, there is no way to determine the appropriate response. “Batten down the hatches” is a bad order if you don’t know which hatches need battening. However, tighter data access controls will make it easier to know who had access to the stolen information. Leverage best practice principles like least privilege, need-to-know, and separation of duties and consider using digital watermarks to track and trace the movement of your sensitive data.
Dark web exposure
CISOs are pressured by the business to regain access to corporate data and bring systems back online quickly following a ransomware attack. In many cases, this haste to restore business functionality results in incomplete eradication of the threat actor and investigation of the true root cause of the attack is often overlooked. Frequently, this results in recycled extortion attempts as network access or exfiltrated corporate data are sold and traded in nefarious circles on the Dark Web. Because investigative practices were incomplete, how this data was compromised is never fully understood.
Clearly, CIOs and CISOs must be engaged earlier in the data governance lifecycle. Specifically, both roles should understand data classifications, data flows and interfaces, and appropriate controls from an entity perspective. Their insights will help mitigate risk to corporate data either through internal data misuse or data compromise by a threat actor.
Data leaks from the inside out
Inadvertent misuse by employees can be just as impactful as data exfiltration by a threat actor. Take, for example, large language models (LLMs). Employees will leverage free and low-cost LLMs for research and analysis by inputting corporate data in their questions and queries into these models. These tools themselves are not the issue, it’s how they’re used that causes problems. CIOs and CISOs can write as many memos as they like regarding safe data handling, but expediency trumps data governance and security far too often.
LLMs ingest and potentially share your corporate data with other platform users when providing answers. Not only this, but the companies behind the LLMs – which profit from gathering and selling data – will have access to this information as well. In essence, you may lose intellectual property rights over the content uploaded to these systems. For example, look at Section 6.3 of CoPilot’s Terms of Service:
“Customer grants to CoPilot a perpetual, worldwide, royalty-free, non-exclusive, irrevocable license to use reproduce, process, and display the Customer Data in an aggregated and anonymized format for CoPilot’s internal business purposes, including without limitation to develop and improve the Service, the System, and CoPilot’s other products and services.”
Third-party data mishandling
Then, there is the third-party data loss. Most corporations rely upon third-party services to collect, process, and store their data. Even when your third parties maintain strict security and data governance controls, there is always an exposure risk if your service provider is compromised. These incidents are not isolated and are now increasingly commonplace. Notable recent examples include the Lash Group, Change Healthcare, and American Express breaches. These breaches highlight how significant and impactful third-party incidents can be.
As discussed in a previous blog, one way in which CISOs and CIOs can address this problem head on is by ensuring their vendors, suppliers, and partners have defensible security programs backed up by contract provisions that protect your company when security incidents occur. Your contracts should codify your security, privacy, and risk management requirements accordingly.
Unite and conquer
Data governance is a team sport, and IT and security teams cannot operate alone; they require collaboration with key business stakeholders across the organization. With different perspectives, these business stakeholders understand the context of third-party relationships, the nature and extent of the data employed by the company, and the potential impacts on the business if this data is compromised. It’s critical that any remnants of the historical rifts between DevOps and security that make effective data governance challenging be swept away. Visibility and risk mitigation in the cloud are underpinned by collaboration. Given the number of systems, technologies, services, and regulatory requirements that organizations confront, collaboration should not be viewed as a nice to have, but an operational imperative.
CISOs and CIOs are uniquely positioned to drive this collaboration. One powerful option is to establish a data governance committee of key stakeholders from security, legal, compliance, investor relations, procurement, IT, risk management, and finance. Together, draft a committee charter that ensures stakeholders have a duty to report data governance risks. It should also outline roles and responsibilities throughout the data lifecycle of the organization, including who is authorized to make risk decisions related to specific, high-value data sets. In addition, use a risk register to capture identified risk factors and recommended risk mitigations. Companies that focus on data governance will likely be more resilient when confronting risks to company data.
Conclusion
Managing and securing data is a challenge and without visibility, managing data access is nearly impossible. Data governance practices are complicated by modern technologies and are further complicated by privacy regulations. Security incidents highlight visibility blind spots, revealing that our data is more widely distributed and shared than we often realize.
CISOs and CIOs must engage early in the data governance lifecycle to understand data classifications, mapping, and access controls, and bring this knowledge to stakeholders across the organization. Risk mitigation of data leaks comes from proper understanding, handling, and control throughout the data lifecycle of the organization, from employees to third parties.