Five ways to tackle the insider threat
Insiders — employees, contractors, and others granted inside access to systems and data — pose significant risks to data security, but just how substantial and pervasive has the challenge of insider threat actually become?
In Code42’s most recent Data Exposure Report, we found that 78% of information security leaders believe that their current technologies and strategies are adequate when it comes to managing insider threats. Yet the report also identified a number of interesting inconsistencies.
Although half of business decision-makers indicated that they believe employees to be the single biggest threat to their company’s intellectual property, even more – about two-thirds of organisations – said that they experienced data breaches caused by insiders in the last 18 months.
In other words, having legacy data loss prevention technologies in place did not help these organisations stop insider breaches.
With insider threat being so pervasive, we want to share steps organisations can take to best mitigate the risks associated with insider threats.
Our findings will show that, although organisations must and should continue to trust their employees to build great companies, it’s critical to have tools in place to verify that employees aren’t betraying that trust—and to alert organisations when they do.
1. Define, share, and regularly reinforce policies that detail data use and data ownership.
When it comes to protecting data today, enterprises find themselves fighting against challenging attitudes toward data ownership.
In our Data Exposure Report, 72 percent of respondents agreed that the data at their company isn’t just corporate data, but also their own work and their own ideas.
It’s going to take considerable work, through ongoing education and reinforcement, to convince staff and other insiders to reassess these views.
Such efforts must include awareness training for all insiders that the organisation’s data belongs to the organisation and that data ownership will be enforced.
Of course, such policies should go beyond clarifying data ownership to include data usage policies as well.
These policies should detail what cloud storage and collaborative services are permitted by policy.
Similar policies are necessary for removable storage devices. All such policies need to be formalised and clearly detailed.
2. Establish regular policy reminders.
To reinforce data ownership and usage policies, it pays to place reminders wherever they make sense.
Such reminders could include display banners on laptops upon login, or more formally “when entering private computing facilities”, logging on to the corporate intranet, and visiting other places insiders authenticate themselves.
Data policy training needs to be made part of the core areas of employee onboarding and training. As new hires are trained, data ownership and usage policies of the organisation should be explained.
It’s also essential that these policies be reinforced during the employee off-boarding process — one of the most precarious times when data is at the greatest risk of exfiltration at the hands of employees.
3. Hold regular training sessions to reinforce the right types of behaviour.
An essential step for sustaining good data security is to show employees specifically what they can and can’t do with the organisation’s data.
Such demonstrations should include how to use the approved cloud storage services and how to request permission to take certain data with them when they leave employment.
In this way, your training and awareness program will reinforce the exact types of data handling behaviour you expect of employees.
4. Establish an employee departure data review process.
Employees are most likely to take critical company data when they leave employment, so ensure that you review their data usage history and what data they may have tried to move off of the company’s systems.
Here’s a mind-blowing statistic: 63 percent of survey respondents admitted to bringing data from past employers to their new jobs.
This finding should concern every organisation as these staffers are bringing that data from somewhere. Make certain it’s not your company’s data being infiltrated into the next organisation.
The best way to do so is by creating a data review process to use with every departing employee. The human resource department can initiate this process or the IT department can include it as part of their overall procedure for deprovisioning systems access.
During this review process, ask the departing employee to review and explain how they accessed and handled data in the weeks leading up to their decision to put in their notice.
5. Put the right data protection tools in place.
The heart of your insider threat program will be your data security policies, data usage training, and data security awareness efforts, but none of these efforts mean much of anything if they can’t be enforced.
We’ve learned that technical controls that attempt to block data exfiltration fail to actually stop unwanted data movements.
Instead, it’s more effective to focus on detecting anomalous file movements and flagging when employees abuse the trust that has been placed in them.
As you consider such tools, don’t forget to evaluate how well they integrate into your technology environment. How well will the tool work with your security and data management tool stack?
Will it work with existing security and data management processes, or will those processes have to be changed to work with the tool?
For instance, if you already automate employee deprovisioning, will the data loss protection tool you’re evaluating seamlessly integrate with those processes?
Insider threat is undoubtedly one of the most significant data risks organisations face today — and not just because of the high risks to valuable data and intellectual property.
The significant cultural beliefs surrounding data ownership contribute significantly to this challenge.
The good news is, by following the five steps outlined in this article, any organisation can go a long way toward effectively managing insider threat.