從資料治理的角度來看,影子 AI 引入了嚴重的結構性曝險。資安團隊對於以下情況完全處於盲區:哪些外部模型正在主動攝取資訊、這些資料在地理上被儲存於何處,以及第三方模型供應商是否正將企業專有的資料池用於公開大型語言模型(LLM)的訓練週期。
從應用程式限制轉向資料譜系控制
傳統的企業防禦專案高度依賴以周界為核心的控制項,利用安全網頁閘道器(SWG)來阻斷或允許對特定應用程式網域的存取。這種模型在套用於生成式 AI 時宣告失效。GenAI 空間繞過了傳統的周界控制,因為資料可以透過標準網頁瀏覽器工作階段(Session)被瞬間提取——不論是將剪貼簿的原始文字貼入未經授權的聊天機器人,還是將在地檔案拖放到未受管理的瀏覽器擴充功能中。
因此,一項有效的反影子 AI 戰略必須跨越應用程式級圍阻(Containment)的概念。資安架構師必須轉向以資訊為中心的模型,不論資料與何種端點或雲端架構互動,可視性與資料保護控制項都必須緊緊依附於資料承載(Payload)本身。
對映企業資產的曝險足跡
常見的治理錯誤是誤以為影子 AI 的風險僅限於標準的個人識別資訊(PII)。在現實中,未受管理的模型攝取會暴露出多個關鍵的業務層面,包括:
法務維運: 企業合約、已簽署的主服務協議(MSA)以及保密協議(NDA)。
人力資源與人事: 員工檔案、薪資架構、醫療保險指標以及內部績效日誌。
企業財務: 總分類帳條目、未發布的季度預測、價格利潤率矩陣以及在地化的預算模型。
軟體工程: 核心應用程式原始碼、API 憑證模式以及系統配置指令碼。
戰略規劃: 商業產品提案、競爭分析矩陣以及下游的企業併購(M&A)資料。
智慧財產權: 研發工程圖紙、CAD 檔案、專有演算法以及專利申請書。
此曝險面具備獨特的挑戰性,因為透過影子 AI 進行的資料外洩通常是靜默發生的。與標準的惡意軟體感染或憑證濫用事件不同,資料流向外部 LLM 不會觸發任何傳統的端點指標,在沒有清晰的外洩特徵碼(Signature)的情況下,使資料池直接暴露。
一刀切式 AI 限制的維運失敗
面對未受管理的應用程式使用,許多 IT 團隊的直覺反應是在所有未受核准的生成式 AI 網域實施全域阻斷。雖然封鎖高風險平台能在短期內立即降低風險,但將其作為長期戰略卻存在根本性的缺陷:
消費級 GenAI 新平台的誕生速度,遠遠超過傳統網頁過濾資料庫的更新週期。
分散式員工可以輕易透過未受管理的個人裝置或外部行動網路,存取未經授權的模型實例。
過度限制的控制項會逼使員工尋求替代的影子繞過手段,以維持其日常生產力。
組織不應試圖消滅 AI 工具的採用,而必須專注於治理。資安團隊必須清晰定義哪些核心架構是受核准的、為結構化資料狀態建立可接受的應用場景,並提供安全的企業級替代方案,讓員工在保障安全的前提下槓桿 AI 的能力。
戰略性架構能力檢核表
在選擇資安廠商來緩解影子 AI 風險之前,企業資安領導者必須根據幾個關鍵指標,評估其現有的資料保護姿態:
遙測與可視性: 我們的安全維運中心(SOC)能否清晰區分受授權的企業級 AI 實例與未受管理的消費級帳戶?
由於向 AI 助理輸入文字通常是以片段形式發生——例如複製特定的幾行程式碼、貼上財務簡報中的段落,或上傳孤立的文件章節——僅僅保護儲存庫已不再是足夠的防禦。真正的資料圍阻(Data containment)需要透過資訊權限管理(IRM)或企業數位版權管理(EDRM)來直接保護檔案本身。
透過將密碼學控制項與動態存取規則直接嵌入檔案承載資料中,檔案在整個生命週期中都能受到保護。即使使用者將文件下載至未受管理的裝置,或試圖將其上傳到消費級 AI 環境中,嵌入的加密技術也會強制執行明確的邊界。它能阻止剪貼簿複製、阻斷在地列印、限制螢幕截圖,並允許管理員隨時動態調整或撤銷存取權限,即使在檔案離開企業周界後,也能中和資料曝險風險。
資安領導者分階段實施路線圖
對企業 AI 的整合建立有效的治理,需要採用分階段、漸進式的方法,在安全性與維運生產力之間取得平衡:
階段 1:可視性評估
槓桿影子 IT 發現工具對映當前的使用基準線,識別在企業設備艦隊中哪些未受核准的 AI 平台被最頻繁地存取。
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
戰略簡報: 將自主 AI 代理人(AI Agents)連結至企業內部儲存庫能釋放巨大的生產力,但同時也創造了嚴重的資料曝險風險。由於大型語言模型本質上會跨越不同的資料孤島進行資訊聚合與綜合,它們經常會繞過傳統的資料夾級權限。本藍圖詳細拆解了 SealPath SDK 如何將外部、以身分為核心的驗證層直接嵌入 AI 管線中,確保自主代理人嚴格根據使用者目前的作用中文件權限來查詢資料。
代理型知識檢索的結構性風險
企業 AI 工作流允許員工使用自然語言查詢廣闊的資料資產——立即萃取法律合約、供應商參數或專有技術藍圖的摘要。然而,當這些智慧編排器索引了包含繼承權限、開放共享連結或跨部門資料夾的儲存庫時,它們便引入了一個根本性的安全缺陷。
AI 模型並不需要暴露整份機密文件才會引發災難性的資料外洩。代理人只需將敏感片段注入低權限的對話會期、綜合不同來源的受保護資料點,或推論出受限的維運指標,就足以構成威脅。在向量資料庫中與資料的「語義接近性」,已不再代表擁有檢索該資料的權限。對於處理受管制或專有智慧財產權的企業而言,細粒度的存取控制必須從「儲存庫的參數」轉變為「檔案本身的屬性」。
「企業 AI 代理人絕不能基於它在技術上有能力找到的所有內容來構建答案。它必須完全根據查詢身分被明確授權檢視的資料資產來生成回應。」
為什麼在地化隔離優於基礎索引
一個常見的架構誤區是過度依賴簡單的儲存庫同步——直接索引廣泛的共享雲端硬碟,並將資訊過濾的工作留給 AI 系統本身。若缺乏獨立且可審計的密碼學邊界,執行時期引擎(Runtime Engine)將面臨放大企業內部既有權限漂移(Permission Creep)的風險。
這項挑戰已被 Microsoft 365 Copilot 等業界標準所承認,其強調智慧檢索必須在執行時期層尊重基於身分的存取邊界。真正的資料安全需要將核心查詢從「非結構化搜尋」轉變為「經權限驗證的請求」:
過度分享(Oversharing)——亦即在不恰當的時間內將企業資料暴露給過多的使用者——是一個長期的資料治理挑戰。歷史上,一個過度暴露的文件通常僅靠「隱蔽性」就能維持安全,因為它被埋在層層嵌套的網路共享資料夾深處。然而 AI 抹除了這種靠隱蔽帶來的安全感。代理人可以在幾秒鐘內發現、聚合並展示一個過度曝險的檔案。
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
The company specializing in corporate information protection attributes its results to the rise in regulations, a significant increase in the number of data leaks, and growing concern among organizations about keeping their sensitive data safe.
BILBAO, SPAIN, AUGUST 4, 2025 – The cybersecurity market continues to show remarkable momentum in 2025, and SealPath’s results reflect this. The company, which specializes in protecting and controlling permissions on sensitive documents, reported a 50% increase in revenue at the end of the first half of this year. This growth is directly related to the increase in attacks targeting key sectors such as finance, industry, and public administration, as well as regulatory pressure from regulations such as NIS2 and DORA.
SealPath, which has just celebrated 15 years offering specialized solutions in corporate data protection through digital rights management technology, has experienced an acceleration in demand for its solutions, especially from medium and large organizations seeking to secure access to their most critical information.
Growth driven by market developments
The company notes that the market is moving toward increasingly proactive data protection solutions focused on preventing information leaks before they occur. This represents a shift from traditional security technologies, which tend to be more reactive. According to SealPath’s CEO, the market is also consolidating the adoption of tools integrated with other cybersecurity technologies, which enable customers to identify and mitigate potential threats more effectively.
In addition, SealPath’s geographical expansion, with new operations in international markets, particularly in Europe, Latin America, and Asia, has been decisive in achieving these strong results. The company is thus responding to growing interest from customers and partners in regions where data protection is a strategic priority for businesses.
Greater focus on industrial property protection
SealPath has also detected an increase in companies investing in protection solutions for industrial designs, reinforcing the management of sensitive information throughout the supply chain. The company believes that proactive security remains critical in the fight against information theft and has therefore stepped up its offering of CAD design protection solutions for its customers.
Luis Ángel del Valle, CEO of SealPath, offers a positive take on the results: “It is very encouraging to see how companies are prioritizing data protection as a core part of their strategies. We have seen very rapid adoption of our solutions, and the market is demanding more comprehensive technologies to address today’s challenges. This motivates us to continue innovating and striving to lead the sector.”
With its growth figures and ability to adapt to the demands of a changing sector, SealPath consolidates its position as one of the leading companies in data-centric security, ready to face the challenges of the second half of the year and continue strengthening the security of its customers in around 30 countries.
About SealPath SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Know in depth the CIS Security Control 3 v8, a set of security safeguards to help organizations on data protection, the new changes compared to v7, all the safeguards and how to implement CIS Control 3 effectively.
A brief background about data breaches
IBM and the Ponemon institute released a report on the cost of a data breach in 2022, surveying 550 breaches with data gathered from over 3,600 interviews across 17 countries, and the result was mind-blowing. The results show that the average data breach cost US$4.35 million in 2022, indicating that the figures have further risen from the $4.24 million recorded in 2021.
Every year, IBM statistics for the cost of data breaches indicates that the figures keep rising by at least 2.6 per cent, and numbers are expected to shoot up in the coming years. However, in the US, the figures and drastically different, as the average cost of a data breach was found to be $9.44M, more than double the global average. Know how is the Data Breach loss cost estimate obtained?
The IBM report also showed the causes of most breaches, with stolen or compromised credentials accounting for 19% of breaches, phishing being responsible for 16%, and Cloud misconfiguration causing 15% of breaches.
It’s essential for organizations to deploy a robust data protection strategy to reduce the possibility of a data breach or data leakage, which often leads to financial loss. The CIS Controls is a collection of the best data and computer security practices to mitigate attacks on cyber systems and networks.
CIS Security Controls v8, Data Protection
The CIS Critical Security Controls (CIS Controls) is a set of security Safeguards to help organizations mitigate the most prevalent cyber-attacks against computer systems and networks. These Controls are improved from time to time to address constantly evolving cyber threats and keep up with modern systems and technologies.
More specifically, CIS Control 3 focuses on ensuring data protection both in storage and when transmitted through data management for mobile devices and computers. The Controls map out processes and techniques to identify, classify, safely handle, retain, and dispose of data in a way that minimizes the risks of a data breach.
It’s no news that an organization’s data is no longer restricted to its borders. Some data are now stored in the cloud, shared with partners, transferred over portable end-user devices, and so on. This diverse handling of data opens it to more risks of attack, making data protection a great concern for organizations.
Although encryption offers a lot of protection to data, it doesn’t offer much help in the face of malicious actors with deep-rooted knowledge of bypassing encrypted data. As a result, organizations need to incorporate a holistic data protection strategy outlined by CIS Control 3 to strengthen their security and mitigate cyber-attacks.
Changes compared to v7 where Data Protection is now the Control 3
CIS Control 3v8 is a comprehensive revision of the 3v7 and contains safeguard updates to improve data security and reduce the risks of a breach. Some of the changes include:
– the addition of Service Provider Management Control: a new control that tackles the sensitivity of data in SaaS platforms, including their storage and processing.
– moving Data Protection from the number 13 spot to number 3 and adding five new Safeguards to this Control. These five new Safeguards are focused on managing and identifying data in a more secure approach to minimize vulnerabilities.
Other changes involved Controls, such as Controls 4,5,6,14, and so on.
What data protection safeguards does CIS Control 3 include?
Below are the safeguards of CIS Control 3
3.1: Establish and Maintain a Data Management Process
Organizations should put in place an effective data management process that handles data sensitivity, ownership, storage, retention, backup, and disposal. The data management process should align with the regulations of your specific organization and be reviewed annually or wherever there’s a major policy change.
3.2: Establish and Maintain a Data Inventory
Your inventory outlines the type of data your organization produces, the degree of sensitivity, and how they’re retained and consumed. Typically, your inventory should reflect both structured data (e.g., data stored in databases) and unstructured data (e.g., documents and photos) to ensure a comprehensive data protection policy.
3.3: Configure Data Access Control Lists
Restricting each user’s access is a crucial part of data security, and each user should only have access to the data, applications, and systems on the organization’s network that they require to do their job. Having access to other than what they need (especially sensitive data) increases the risk of a data breach and security compromise, either deliberately or accidentally.
Regular review of access control lists should be done to detect and swiftly remove any unauthorized permissions that a user has, such as when they move to a new department, branch, or role.
3.4: Enforce Data Retention
Data should have minimum and maximum timeframes to control the extent to which different types of data should be retained. To ensure full compliance, you should consider automating the data retention process so that certain types of data do not stay beyond their expiry period due to forgetfulness.
3.5: Securely Dispose of Data
Whether you need to dispose of data because it’s old and irrelevant or due to standard regulations, ensuring secure disposal is crucial to preventing unauthorized access to the data. You should dispose of data according to their sensitivity, making sure that sensitive data are entirely eliminated in a way that no user can access.
3.6: Encrypt Data on End-User Devices
In certain scenarios, company devices get compromised by internal or external threats. Encrypting data on end-user devices helps prevent data misuse when such scenarios arise, adding an extra layer of security to your organization. Typical examples of encryption tools are Windows BitLocker, Linux dm-crypt, and Apple FileVault.
3.7: Establish and Maintain a Data Classification Scheme
Not all the data in your organization are on the same level. Some are sensitive, while others aren’t. Establishing and maintaining a data classification scheme helps you to distinguish sensitive data from non-sensitive data, so you can provide more protection for sensitive ones. Even non-sensitive data can also be further classified as private or public to enhance data protection.
Organizations should review their data classification scheme annually or whenever there’s a significant policy change.
3.8: Document Data Flows
Organizations should keep tabs on the movement and flow of data in and out of the enterprise in order for timely detection of vulnerabilities that could weaken their cybersecurity. You should review documentation annually and apply necessary updates whenever a significant change that could potentially impact this safeguard occurs.
3.9: Encrypt Data on Removable Media
Organizations should prepare for scenarios of device theft by encrypting the data on external hard drives, flash drives, and other removable media. These devices may also be misplaced and eventually land in the wrong hands, but with encryption, you can rest assured that the data will not be misused or exploited.
3.10: Encrypt Sensitive Data in Transit
Organizations should encrypt critical data in transit to ensure optimal protection wherever the data goes. Popular encryption options for companies are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS). All encryptions must also be adequately authenticated. For example, OpenSSH validates host keys and investigates any connection warnings, while TLS uses valid DNS identifiers with certificates signed by a trusted and valid certification authority.
3.11: Encrypt Sensitive Data At Rest
Sensitive data at rest either on servers, databases, or applications, should be encrypted with at least Storage-layer encryption. Additional encryption methods can be deployed to ensure that only authorized users can view and use the data, even if the storage device gets into the wrong hands.
3.12: Segment Data Processing and Storage Based on Sensitivity
Data processing and storage should be segmented based on data classification to ensure that sensitive data is treated with more caution than less sensitive data. Avoid processing sensitive data on enterprise assets that manage less sensitive data at the same time. Doing this will prevent a hacker from automatically accessing all company data once they gain access to some less sensitive data.
3.13: Deploy a Data Loss Prevention Solution
Data loss protection (DLP) is a powerful automated system for protecting on-site and remote data from accidental loss and exfiltration. The tool identifies all sensitive data processed, stored, or transmitted through enterprise assets and updates the data inventory. Know more about DLP vs IRM here.
3.14: Log Sensitive Data Access
All sensitive data actions should be logged, including access, modification, and disposal, as this is essential for timely detection and response to malicious activity. Post-attack investigations and detection of breach culprits for appropriate accountability also require data access logs to be fully carried out.
How a data-centric security approach can help you to implement CIS Control 3
Organizations deploying data-centric security can better implement CIS Control 3 because their technologies, processes, and policies are concerned with the lifecycle of data, including its location, collection, transfer, storage, and visibility.
Key Elements And Benefits of a Data-Centric Security Approach
The key elements of an effective data-centric security system include the following:
1. Identification, discovery, and classification of sensitive information
An internal or external attacker’s primary target is to access the most sensitive company information since they carry the highest benefits. They may as well go after other data, e.g., regulation data like EU-GDPR, PCI, or others. Often, these data are stored in specific repositories known to only the company’s team; however, they can be shared, putting the data at risk. Organizations interested in implementing data-centric security controls need tools and technologies that help to identify where their data is at all times to prevent unauthorized access. Know the Advantages of Data Classification boosted by AI and Machine Learning.
2. Data-centric protection
Data-centric security controls focus on monitoring and securing an organization’s sensitive information to prevent unauthorized access due to cloud, network, or data leakage. You know where your data is and where it goes while having absolute control over it, regardless of how far it travels.
3. Audit and monitoring of access to data
Organizations must analyze data use and determine if users’ behavioural patterns are within the acceptable standard so as to know the level of risk associated with the data at any time.
4. Administration and management of data policies
Employees come and go, but company data remain relevant at all times. A data-centric security approach allows organizations to determine who should or shouldn’t have access to certain data, depending on their policies. So when you stop collaborating with someone or find out they’re at risk, you immediately revoke access to the data, destroy it, or prevent it from leaving the corporate network.
How can SealPath help?
When it comes to improving your organization’s data protection strategy, SealPath can offer a data-centric security system that effectively monitors your data at rest, in transit, and in use. Thus, regardless of how far your data travels, you are not only aware of its journey, but you still have absolute control over it and can destroy it in case of a breach risk.
SealPath offers you Information Rights Management (IRM) / Enterprise Digital Rights Management (E-DRM) / Enterprise Information Protection and Control (IPC) over all your data, preventing a breach incident.
Information Rights Management (IRM)/Enterprise Digital Rights Management (E-DRM)/Enterprise Information Protection and Control (IPC) solution
The IPC (Information Protection and Control), or IRM / E-DRM (Information Rights Management / Enterprise Digital Rights Management) technologies give you the power to control information wherever they are, even if it’s outside the cloud. It combines identity control + encryption + auditing + remote control and takes them beyond the sphere of traditional encryption.
Some of the capabilities of this technology include the ability to: • provide protection that travels with the information • monitor access to information and limit the permissions on the documentation (Only View, Edit, Print, etc.). • revoke access, no matter where the files are stored
A data-centric approach to security makes protection user-driven or managed by the administrator in order to secure certain folders. In the cloud, folders or documentation repositories are automatically protected by encrypting them in systems with O365, Box, etc.
These technologies can be integrated with classification tools so that classified data within or outside the corporate network or cloud are automatically protected, depending on their level of confidentiality, DLP, or CASB.
About SealPath SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
5 tools to prevent data exfiltration when sharing files from mobile devices are analyzed to help you take the best steps to protect the business information. Learn how to improve security, make informed decisions and understand the effectiveness of each option based on our more than 10 years of experience helping organizations with their data security.
Although we come from a security mindset where everything is perimeter-focused and every action is blocked, the reality is that business professionals often need to share sensitive documents with others. And if they have blocking measures in place, they may even bypass them in order to be productive, agile, and meet business objectives. It is therefore undeniable that the secure sharing of sensitive documents with others is a gap.
And of course, the fastest and most convenient way to share documents is via mobile devices. There may be several reasons for this: not having a PC at hand, not being in a good location to access a PC, or simply not having much time because you are traveling, at a business lunch, or away from the office. But at the same time, you need to send a document right away, you need to share it urgently. We take risks when we send sensitive files without any security measures. We sacrifice security for convenience and speed.
The risks run are not only when storing sensitive documents on the mobile device but also when sharing this information with third parties. Nor do you have any guarantee that the person you send sensitive files to will apply effective security measures to prevent your sensitive information from being exfiltrated. Mobile devices are one of the main risk vectors for companies, where less security is applied, as detailed in this Security Intelligence article.
Therefore, it’s crucial for organizations to recognize that data exfiltration from mobile devices is a far more serious threat than it appears. Businesses must strike a balance between the necessity for mobile productivity and the imperative to protect sensitive data from unauthorized access. Related Article: 9 tools to prevent data theft in your organization.
Imagine the life of a busy executive, Sarah, who is always on the move, traveling between cities for high-stakes meetings. One afternoon, while waiting for her next flight in a bustling airport lounge, she receives an urgent message on Microsoft Teams from her company’s internal channel. It’s a sensitive document outlining the latest corporate strategy, meant only for top-tier management.
The urgency of the situation presses Sarah to act swiftly; she contemplates sharing it with a few key colleagues via WhatsApp for immediate input. Unbeknownst to her, this seemingly simple act of convenience could expose the company’s sensitive data to unauthorized access, compromising corporate confidentiality and security.
Sales representatives on the road
Now consider Alex, a dedicated sales representative who spends his days maneuvering through endless hours of travel between client meetings. His effectiveness depends on agility and the ability to instantly respond to clients’ needs.
While on the road, Alex receives a personalized technical guide through Slack, crafted specifically for a high-profile client. Time is of the essence, so Alex decides to forward the guide to the client using Outlook on his smartphone. While his intention is to offer exemplary service, this act of expedience could potentially bypass security protocols and put proprietary company information at risk.
These scenarios underscore the pervasive threat of data exfiltration from mobile devices in the enterprise world. The need for a balance between efficiency and data protection has never been more critical, as data exfiltration incidents can occur at any moment. This highlights the necessity for businesses to establish comprehensive mobile security strategies that safeguard sensitive information, even amidst the constant urgency and demands of corporate operations.
Preventing data loss in organizations requires a multifaceted approach, leveraging various tools and methods designed to address specific use cases and contexts. Each tool offers unique strengths and capabilities, aimed at minimizing the risk of data exfiltration and ensuring the secure sharing of files across mobile devices. Let’s take a look at what our options are:
Password Protection
It’s as simple as creating a password for your document or folder with documents and sending that password through another channel to the recipient so that only the person with the password can access it. File encryption tools such as AxCrypt, SecureZIP, or GnuPG are a good option.
Pros:
Useful for very ocasional sends: It’s useful if you need to send sensitive documents a very small number of times. Password encryption is simple and can be fast.
Cons:
You have no control over the document: There is a risk that unauthorized persons can access it. Either because the password and file was obtained (or stolen) or because the authorized person shared the password and file with others.
Manage and remember passwords: It is not safe to send documents always with the same password, so you will have to manage the different ones you create, store them securely and/or remember them.
It is not an agile method for everyday use: Every time you want to send sensitive documents, you have to create new passwords, store them, and send them securely through a different channel.
Virtual Private Networks (VPNs)
VPNs create a secure tunnel between the user’s device and the internet or a remote network. They provide an encrypted connection. This helps protect data transmitted over public or unsecured networks by ensuring that the data remains private and concealed from unauthorized access or interception. Commonly Used VPN Services are Palo Alto GlobalProtect, Cisco AnyConnect, OpenVPN and NordVPN.
Pros:
A good choice for securing data in transit: This option is good to make sure that no one intercepts the files while they are being sent, while they are in transit.
Cons:
The data is not protected once downloaded or at rest: They do not provide protection for data once it has been downloaded. If the recipient does not follow security best practices, the data could still be compromised.
Upload the files to a Repository, Cloud Storage or File Sharing Service
A great choice for collaboration: They are a great way to store files or collaborate on the same document.
Cons:
It requires that the documents be uploaded first: This is an essential step that can be a hindrance to the user, making them less agile, adding an extra step and taking more time.
You lose control once they are downloaded: Even if you only give access to authorized people who have to log in, once they download the file, you run the risk of exfiltration again. And it is not always enough to simply allow viewing of documents and block downloads.
Email Encryption Services
Email encryption services are designed to protect the content of email from being read by unauthorized parties. These tools ensure that only the intended recipient can access and read email content by encrypting it during transmission and storage. Commonly Used Email Encryption Services are ProtonMail, Microsoft Purview Message Encryption or Zix. Learn about the 3 common types of encryption in our in-depth article.
Pros:
This is a good way to send secure e-mails: They are a good option when only sending sensitive documents via email.
Cons:
It limits the channels of secure communication: Nowadays we communicate through different channels such as Teams, WhatsApp, Slack… Limiting it to email only can present obstacles for users and they may decide to skip it. Or, the conversation with the recipient may be on a different communication channel.
Large Attachments: Sending very large files as email attachments can be cumbersome and might not be supported by all email encryption services.
You lose control once they are decrypted: The document is sent securely but once the recipient has decrypted the document and downloaded it, you lose all control over it. You run the risk of it being exfiltrated.
Enterprise Digital Rights Management (DRM) Solutions
The primary purpose of enterprise digital rights management (DRM) solutions is to protect sensitive digital content from unauthorized use and distribution inside and outside an organization. These tools control access, usage, and distribution of digital files, ensuring that only authorized parties can view, edit, or share the content. They enforce protection on the document itself. DRM solutions protect digital content by encrypting files and applying policies that dictate how the content can be accessed and used.
Pros:
Protection is permanent: It is a good option because it focuses its security and protection on the data itself, accompanying it wherever it goes or travels, in all three data states: at rest, in transit and in use. If you want to know more about the 3 data states, visit our article.
Cons:
User Frustration with Restrictions: EDRM can lead to user frustration if it interferes with usability or creates a poor user experience.
It is perhaps the most comprehensive and versatile approach to mobile data security because it focuses security on the data. For us, it is the safest way, and we believe so strongly in this technology as a game changer.That is why we have developed an EDRM product specifically for mobile devices. We present it to you below.
SealPath is the most advanced EDRM solution that provides persistent protection for documents regardless of how they are stored and shared, and has been in the market for over 10 years. Satisfied with SealPath protection on their PCs and Macs, our customers asked us to bring protection to their mobile phones and tablets. They wanted a flexible yet robust way to protect documents on the go. And it is with this in mind that we present the SealPath Information Protector App, so that they can continue to be productive and agile in their day-to-day work while protecting the information with the highest level of controls.
How does it work SealPath Information Protector App
1. Open the File: Open the file within your desired app such as Slack, Outlook, or WhatsApp on your phone or tablet.
2. Share the File: Tap on the options menu and select the share option.
3. Protect the Document. Inside the SealPath Information Protector App, tap the “Protect Document” button.
4. Select Protection Policy: A window will open allowing you to search and select your desired protection policy. You can type the policy name for quick access.
5. Final Steps: The app will protect the document. A window will open offering you the choice to either share the protected document via your desired app or save it on your phone or tablet .
Note: The entire process only takes a few seconds to complete.
Secure File Sharing with Real Use Cases
From Teams internal channel to board members via Whatsapp
John, an executive at a multinational company, is traveling for business. While at the airport, he receives a sensitive document containing strategic information through Teams on an internal channel. John needs to share this document with other executives quickly and securely. Using his tablet, he opens the document, taps the share option, and selects the SealPath Information Protector App.
Within the app, he taps “Protect Document” and chooses the “Confidential” policy, ensuring that only a small group of executives have permission to access the document. Once the app protects the document, John shares it via WhatsApp. This process ensures the sensitive information is secure while allowing him to stay productive and efficient.
Receive a document in Slack and email it to a client
Emily, a sales representative, spends most of her time on the road, traveling between client and partner meetings. During a break, she receives a personalized technical guide with important customer details through Slack’s internal channel on her phone. Emily needs to protect this sensitive information before sharing it with the customer.
She opens the document, taps share, and selects SealPath Information Protector App. She then taps “Protect Document” and secures the guide with the appropriate protection policy. After protecting the guide, Emily shares it with the customer via Outlook. This ensures the document is secure, and Emily can maintain her agility and responsiveness, even while on the go.
Key Features of SealPath Information Protector App
Protect and unprotect from your usual apps: Protect and share in seconds via whatsapp, slack, teams, gmail, google drive, sharepoint, OneDrive, Telegram… You can also unprotect files using the same process.
Easy and fast: Protecting files is very easy with an intuitive interface, and the process is very fast so it takes very little time.
You control the data wherever it goes: You have the ability to limit who can access it and what usage permissions they have (edit, view only, print…). You can even block access after the document has been sent and monitor accesses.
Secure login: To prevent anyone from unprotecting confidential files on your device and to make it more convenient to log in, you can use your fingerprint or face.
Available for phones and tablets: Available on the App Store and Google Play for iOS 11 or higher and Android 5.0 lollipop or higher.
Protect your sensitive business data throughout its lifecycle with our easy-to-use EDRM App
In the quest to secure mobile document sharing, organizations must weigh convenience against security to select the optimal solutions. It’s crucial to implement tools that secure data without hindering user experience, as overly complicated systems may lead to user workarounds. Key considerations include ensuring robust encryption to protect data at rest and in transit, and implementing user-friendly authentication processes to streamline access without sacrificing security.
Solutions should offer seamless integration with existing applications and workflows to minimize disruption. Real-time monitoring and alerts can help detect and mitigate exfiltration attempts swiftly. Ultimately, the chosen approach should provide strong data protection while maintaining efficiency and productivity, fostering a secure yet convenient environment.
About SealPath SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.