How do you handle coworkers exfiltrating customer data to unmanaged, unsecured third-party SaaS products? For a long time, I thought the best solution was to just try to provide IT-sanctioned first-party tools, but that appears to not work — any reasonably-sized employee base will want more tools than an IT team can possibly set up and manage.
You have to have high level champions. If you are not supported by management, you cannot ensure confidentiality, Integrity, and availability.
If they won’t help with Security &Awareness training, and by enforcing organizational policy, you ultimately have no way to stop anything an internal threat wants to do.
@TheGibson I guess what I'm looking for is some way to make people not want to exfiltrate data. What I'm doing now is playing whack-a-mole and shutting down one avenue as fast as new ones pop up, which is exhausting.
Do you have a cloud provider?
@TheGibson If by "a cloud provider" you mean "a few dozen dozen different SaaS and PaaS providers that different things use"
I mean a common and accepted cloud storage solution.
They use something else, what then?
What I’m getting at is that IT can’t solve HR problems.
@TheGibson I'm just stuck at how to do it without having the ability to punish people for bypassing policies & controls. The only things I know to do are make good things easier and bad things harder...
And that is the approach you’ll have to take without at least a champion in leadership, and effective training.
This is an HR issue. Someone in upper management needs to own it.
Or setup a private cloud?
Ultimately you’ll still have leaks without upper level support.
I’ve been in this boat before.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!