Avoid SharePoint Security & Compliance Flaws
Would you be able to instantly provide a full record of your users’ activities across your IT systems? Would you be able to provide an auditor with detailed proof of where and how your customers’ private details are stored? And are you able to track suspicious activity within your SharePoint environment?
Safeguarding private data is an essential part of operating an organization, whether it pertains to your customers, your employees, your patients or your clients. Yet, best practices around sensitive data storage, security, and retention are often elusive. Depending on your organization's IT security protocols, colleagues can access company data from outside the walls of the office much more easily – via mobile, VPNs, the cloud, as well as removable drives. Platforms such as Office 365 and SharePoint add to this mix but require permissions and viewing rights to be governed effectively.
All these developments and tools are incredibly useful, of course. Nonetheless, they increase the risk of mistakes, hacking and loss of private data. And with the growing number of risks that businesses face, regulatory bodies are becoming much stricter in terms of auditing and enforcing compliance.
Regulation in a whole range of areas has exploded in recent years, especially around personal data (such as the EU’s GDPR – see our GDPR 101: Demystifying the EU General Data ebook) and health information (read our blog on HIPAA). While many businesses are catching up, a lot are struggling to keep up. Research from Ernst & Young shows that a majority of medical practitioners remain woefully unprepared to comply with the US HIPAA privacy and security rules:
With so many organizations under-prepared for an audit of their compliance, many are at risk of major fines. So, what can you do to avoid some of the common security and compliance pitfalls?
All too often, many companies view SharePoint governance and compliance as a reactive activity. Establishing and implementing an information governance plan can be a time consuming activity, involving multiple stakeholders and multiple rounds of review. Yet in today’s regulatory and cyber risk environment, information governance is a necessary first step to any meaningful information security project. Compliance should be woven into organizational strategy, and should feed right through processes on how to organize ECM and collaboration systems. In the long term, good preparation now will save you long-term damage; some fines are so cripplingly large that they could spell the end of some businesses. Follow our tips to avoid common pitfalls.
- Be proactive
Being proactive means being alert, constantly scanning the regulatory horizon, as well as scanning your own IT environment. Are there new rules on the way? Will they affect your organization? Is new technology in the hands of your employees bringing risk? Are staff accessing data in an unsafe way? Compliance issues don’t resolve themselves. ControlPoint from Metalogix helps detect suspicious activities and unusual login attempts, meaning you can act fast to close down rogue operators. Together with tools like Sensitive Content Manager, you can scan your systems for sensitive data through its ever-learning patent-pending technology and ensure that data is stored securely.
- Be strategic
Total security and compliance cannot be achieved ad hoc. Your organization needs to follow a well-planned and effective strategy. It is no good to simply add a new short-term patch to your systems; you need a long-term approach. This will involve re-training staff, gaining executive buy-in and rolling out new processes for improved secure practices.
- Train end users
Whether you are updating your existing data protection policy, or rolling out new tools (such as mobile devices), ensure that you train end users as to what this means for them. Initially this may change very little of their actual day to day practices. It may be something as simple as storing documents in a different library. Occasionally a new policy will mean a big change in their existing processes - so you need to educate them as to what the change is and why it’s happening.
- Regularly review your policies
You might think that once you have a policy in place, that’s enough. It isn’t. Compliance rules change relatively often, sometimes in response to big news stories. You should therefore be proactive and annually review your data protection policy.
- Test, test, test
Again, this is about being proactive. It is crucial to regularly test your firewalls and encryptions. Deploy any software updates as soon as they are available, and try to move your business onto the latest technology as often as you can.
- Be prepared to audit fast
If you are asked to carry out an audit of your systems, auditors will be impressed if you can provide them with answers fast and that means you can get back to work sooner. ControlPoint helps here as it allows you to produce rapid reports on individual user activity with unparalleled granularity.
Today’s security and compliance landscape is more challenging than ever. Not only are regulations stricter and punishments more severe, but the number of scenarios where data can be leaked or hacked into has grown. It’s therefore key to become more proactive in your organization’s approach to security and compliance.
For a deeper dive into SharePoint security, download our Five Steps to Securing SharePoint and SharePoint Governance Best Practices eBooks. Contact us today to learn more about how we can help provide you with compliance peace of mind.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.