Companies in the energy industry have a wide range of regulatory laws that they must comply with, from critical infrastructure issues to how raw materials are bid upon in the public sector. Often security is an afterthought when it comes to organizational data, but with increases in cyber-attacks and data leakage it’s an area that the energy industry cannot afford to ignore. Data security is one of the regulations covered by NERC’s Critical Infrastructure Protection (CIP) plan, and it’s a growing area of concern as more digital data is shared between employees, vendors, and external utilities via a wide range of devices.
Before we discuss best practices for safe data sharing, we must assess the risks that energy companies need to consider when implementing security policies and technology, especially with the growing use of mobile devices in all organizations. There are a number of risks that can affect the security of an energy-based organization, such as:
- Data Contamination: Today, an employee’s vacation photos are likely to reside on the same devices that they use for work. The photos, and other content, share storage space along with confidential business data. Never before has personal data mixed so freely and casually with business information. This combining of data introduces new risks to the enterprise. Through carelessly configured back-ups or file copies, personal content might accidentally end up on corporate file servers. Worse, personal files that contain malware might spread to business files and from a mobile device to internal file servers and other enterprise assets.
- New Forms of Malware: IBM predicts that mobile malware will grow 15 percent annually for the next few years. Hackers and criminal syndicates realize that most mobile devices are less secure than more traditional devices like laptops. They have begun targeting mobile devices for attacks ranging from mischievous pranks to advanced persistent threats that stealthily copy internal data over many months, transmitting it to remote control centers around the world.
- Lost Devices: On average, a cell phone is lost in the U.S. every 3.5 seconds. Even if a lost smartphone or tablet does not contain confidential data, it still might include apps or cached credentials that make it easier for criminals to infiltrate an enterprise network. As workers begin carrying more devices, the likelihood of them being lost increases, as does an organization’s level of risk.
- Risky File Sharing: A device without data is of limited use. To ensure all of their devices have the files they need, employees often try out one or more file-sharing services, including free but risky file-sharing services that run on public clouds. Unfortunately, these services, though popular, are usually not secure enough to be trusted with enterprise data. In one instance, the popular service Dropbox accidentally disabled all password protection on all its customers’ accounts for four hours last year. Having originally been designed for consumers, these services lack the centralized control and monitoring features that large utility enterprises and government agencies need for security and compliance.
In addition, many public cloud file-sharing services also pose legal risks to a company’s claim to own and control its data. For example, the terms of use for Google Drive, Google’s free file-sharing service, begin by stating that users retain the intellectual copyright for the ideas in the content they store. But the terms go on to say that by using the service, customers grant Google and its partners the right to reproduce and modify any uploaded data in order to operate, promote, or improve Google services. Understandably, most enterprises would be reluctant to surrender control of their data to Google under such sweeping terms simply for the convenience of free file sharing and collaboration.
It’s necessary that energy-based organizations demand a high level of security to help protect their proprietary content, no matter what device employees are using when they share data and collaborate. However, to make the most of these solutions, it’s important for security teams to focus their attention on the actual content that is being utilized by their organization.
Mobile Content Management (MCM) is a new class of mobile security solution that focuses on securing content, whether it’s located on a mobile phone or behind the firewall of an organization’s network. To protect content stored on, or being shared to and from mobile devices, MCM solutions provide secure software ‘containers.’ These containers shield confidential data from unauthorized access and malware infection. Even if other files on the device do become infected with malware, the files within the container remain safe. IT departments can configure and control these secure containers remotely, so if a device is lost or stolen, administrators can quickly disable access rights for all files in that container on the device. Finally, all data shared, synced or edited by an employee will reside in the secure container, rather than on a public-cloud or the hard drive of the actual device.
When leveraging a secure mobile file sharing solution, here are six best practices for organization that are working to protect confidential data:
- Best Practice #1: Choose a Solution that Protects All Confidential Files. Organizations should select a solution that works with whatever mobile devices employees are carrying and whatever other networks those devices are connecting with, so that no set of data is unprotected.
- Best Practice #2: Centralize Access Control and Monitoring. Centralized monitoring allows network administrators and security officers to monitor the distribution of files and to detect anomalous behavior before it leads to data breaches. Centralized monitoring and logging are essential capabilities for organizations that need to comply with industry IT regulations such as Sarbanes-Oxley (SOX).
To comply with SOX, for example, public companies in the U.S. must be able to demonstrate that they can audit and control the distribution of all files containing proprietary financial information. If files are distributed over a public-cloud service like Dropbox, the IT and security teams will lack any way to monitor the distribution of files. On the contrary, confidential data could be easily replicated or distributed broadly, and the organization would never know until the data breach was exposed, probably resulting in regulatory censure and other penalties.
- Best Practice #3: Integrate with Existing Content Management Systems. Many organizations have invested in enterprise content management (ECM) systems like SharePoint. These systems provide advanced role-based controls for file storage and powerful search capabilities to help employees find information quickly. Unfortunately, accessing these systems remotely can be cumbersome or downright impossible, depending on the configuration of the mobile devices and the ECM system. When access proves difficult, employees sometimes begin keeping local copies of files and copying them from device to device, thereby undermining the security and version-control features of the ECM system. Organizations should select a solution that provides access to content stored in these existing systems. This way secure mobile file sharing is a reality for workers in remote locations, and they always have access to the critical files they need.
- Best Practice #4: Increase Trust and Control with Private Clouds. Private cloud solutions – cloud services that enterprises run in internal data centers – can provide the scalability and cost-effectiveness of cloud computing without the security and availability risks of public clouds. Whenever possible, energy organizations should deploy their secure file sharing solutions on private clouds, giving their own IT organizations complete control over the location and availability of data.
- Best Practice #5: Block Risky Services – Nudge Users to Safety. Even with an enterprise file-sharing solution in place, employees may be tempted to try the free, consumer-grade services that their friends are using. By blocking these services, enterprises can ensure that mobile workers don’t jeopardize the confidentiality and integrity of the confidential data. Educating users about the risks of these public-cloud services is another important way to ‘nudge’ them into following best practices for data security.
- Best Practice #6: Choose Solutions Proven to Meet Stringent Third-party Security Requirements. Organizations should select a solution that has been certified to meet stringent security requirements, such as the NERC CIP requirements that affect all entities that ‘materially impact’ the bulk power system in the U.S.
The NERC CIP is focused on management of all cyber assets (IT infrastructure) – the systems that support the operation of the bulk electric system. Because much of the infrastructure supporting the bulk electric power system is IP-based, the NERC CIP standards provide guidelines for the identification and management of critical cyber assets, as well as the security (both physical and cyber) of those assets. And, while many of the disaster scenarios facing the electric grid concern natural disasters like hurricanes or floods, the increased attention on cyber-attacks of utilities around the world has raised the specter of terrorist- or state-sponsored attacks on the electric grid.
By following these best practices, energy organizations can enjoy the benefits of the BYOD revolution – increased productivity and collaboration – while avoiding the security risks. Being a forward-thinking organization can ensure that the company and employees are benefitting from technological advancements, without introducing unnecessary risk to its critical infrastructure and proprietary data. A rigorously secure mobile file sharing solution that supports a broad range of platforms gives network administrators and security teams the controls and monitoring features they need to protect proprietary information.
About the author
Hormazd Romer is the senior director of product marketing at Accellion where he drives product positioning, product messaging, and thought leadership. He brings over 12 years’ experience driving product marketing management for enterprise software solutions spanning enterprise security including Web security, identity management, cloud, and virtualization security. Prior to Accellion, Romer was the director of product marketing at Symantec. He graduated from the University of Waterloo.
*Bring Your Own Device