Thwarting insider threats is one of the most difficult challenges for companies, organizations, and governments. In fact, behind phishing, it is most often ranked as one of the top cybersecurity challenges by CISOs and CIOs. According to PwC’s Audit Committee Update on Insider Threat, 44 percent of data breaches are attributable to insiders and 80 percent of attacks are committed during work hours on company-issued software.
Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm brand equity. The mean cost of a cybersecurity breach involving employees or others within an organization is $8.7 million, according to a Ponemon Institute report, “2018 Cost of Insider Threats: Global”.
Some insider breaches are intentional and some are non-malicious, just the result of negligence. There have been a variety of recent malicious incidents that have included employees stealing hard drives of data, leaking information, and even inserting malware into networks. Often the goal has been to steal intellectual property, company secrets, or in some cases commit sabotage. Inadvertent mistakes also pose an ongoing threat. A common activity is sending an email attachment to the wrong person that puts unprotected data at risk. When it comes to any type of security, humans are often the weakest link.
To understand vulnerabilities to insider threats, it is important to be able to define and categorize the types. The Information Security Forum (ISF) provides a solid framework for describing the types of insider breaches:
- Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
- Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
- Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones.
All three insider breach categories are concerns because sensitive data is everywhere and easily accessible if dynamic policies and fine-grained data in use controls are not in place. The number and types of client devices using services have multiplied and employees no longer just operate within corporate networks. Virtual teams are assembled, changed, and then disbanded after specific projects. When a mission or project ends, employees could still have information related to the project. Furthermore, perimeter-based defenses are no longer adequate, as enterprise boundaries dissolve with the growing use of mobility, cloud, and collaboration with external partners.
The expanding attack surface has led to many data exfiltration vulnerabilities and gaps. Companies and federal, defense and intelligence agencies have mission-critical information at risk of being targeted. In order to be effective, not only does the data security solution need to stay ahead of the threats, it needs to be practical for mission and business users and able to seamlessly integrate into the existing ecosystem.
One of the key lessons for cybersecurity practitioners is as the environment and missions change, the control of the data must also be adjusted accordingly. “Traditional perimeter-based defenses are not enough in a modern enterprise, contending with external partners and mobile users and migrating to the cloud. Focusing on keeping attackers out isn’t effective when they’re acting from within. It is critical to secure the data itself and have the security persist with the data regardless of where the data goes, for the lifetime of the data,” says Dave King, chief technical director with the Cyber Systems line of business at General Dynamics Mission Systems.
Using a multi-layered, data-centric security approach enables CISOs and CIOs to stay ahead of insider threats.
First and foremost, encrypt the data to render the data useless even if it’s stolen or accidentally passed on. Encrypting each data file goes beyond data at rest protection and network security – it gives additional protection to the point of data in use. To provide optimum security against the growing types of sophisticated threats, both from within and outside, enterprises should demand military-grade encryption that goes through penetration testing, adheres to the strictest coding standards, and has a known and trusted pedigree.
Next, enforce the appropriate access control to the data. Keep data on a strict need-to-know basis by limiting access to the people who need it to do their jobs, and have processes and tools in place to revoke access to the data when their roles change, even if they still physically possess the data. So, even if a file is saved on an endpoint device, emailed, or placed on a thumb drive or optical media and taken outside the perimeter of the enterprise, that information should no longer be accessible if a person’s right to the data has changed.
Then, go a step further and protect data down to the “last mile” and enforce data usage protections. Use dynamic policies to control fine-grain usage and provide security that persists with the data. Adjust in real time when an individual’s right to access or use the data has changed so people don’t all have to be given blanket access in perpetuity. Give each individual/group/partner differentiated access commensurate with their role such as off-line access, time limited access, ability to copy and paste, and prevent screen capture. Using centrally-managed, granular data protection policies, the access rights of an individual against a file can be changed without having to rework the policies of everyone else with access to the same file.
A basic tenet of cybersecurity is that it fits seamlessly into the business and must be practical for the mission. A comprehensive, multi-layered, data-centric security solution should be easy for the user, if not unnoticeable. Considering the demands of the mission, data security cannot introduce latency or interfere with everyday workflow for the everyday user. For the cybersecurity practitioners, data protection is integral to risk mitigation and should integrate into the ecosystem, leveraging existing investments in Data Loss Prevention (DLP) and Security Information and Event Management (SIEM). A comprehensive data protection approach that includes knowing exactly where the data is, who is trying to access it, and what they are doing (i.e., data visibility down to users, devices, and geolocations) in real time provides organizations with a defensible audit position.
Often overlooked and underestimated, the insider threat is becoming more prevalent and costly. Companies and government need to take heed of the implications. But there are options founded upon stronger encryption for the borderless enterprise, whether they reside on premise or in the cloud. Protecting data and controlling its usage needs to be a top priority.