Last Updated: 11th October, 2019
Insider Threats: Just so many businesses are in denial when it comes to insider threats to data security. Not all employees will take company data, but chances are high that if you don’t put proper precautions in place, employees might compromise up your entire valuable IP, either inadvertently or deliberately.
This isn’t a matter of opinion: hard facts tell the story. According to the most recent Verizon Data Breach Investigations Report, the percent of data breaches caused by insiders rose to 34% in 2018 from 28% in 2017.
With just over one-third of all data breaches caused by insiders, the threat is just too serious to ignore. Yet, although many companies understand the risk, they don’t take the insider threats seriously enough and those that do are unsure how to best address the challenge.
There’s a highly vested interest. By some estimates, 70% of the value of publicly traded companies are the intellectual property in the form of patents, copyrights, trade secrets and other information. In half of data breach incidents, the total damages to the business typically exceed £800,000.
If companies are going to protect themselves from data loss, they must face two uncomfortable truths:
It’s likely that any given company is suffering a data loss or theft from departing employees at this very moment. As many as 72% of departing employees admit to taking company data and 70% of intellectual property theft occur within the 90 days before an employee’s resignation announcement.
Traditional data loss prevention tactics do not work. Why don’t traditional tactics work? One reason is they rely on employees to classify data, which has never worked.
Furthermore, when an employee does run afoul of the company’s policies, the reaction is to block their access to data. That response fundamentally contradicts collaboratively, sharing environments of today’s workplace. Exceptions must then be granted, which leaves the company open to risk of data loss or data breaches.
The Insider Threats are Great: Just consider what recently happened to McAfee. McAfee is considered a leader in data loss prevention, but the company recently filed a lawsuit against three ex-employees accused of stealing trade secrets and allegedly taking them to a McAfee competitor.
In this era where data can be moved with a click, it’s essential that all organizations implement a data loss protection strategy that provides simple, fast detection and response capabilities so that organizations can protect themselves from common data loss by insiders or insider threats.
As studies and recent headlines show, organizations must have this ability to mitigate the insider threats of costly lawsuits or losing valuable intellectual property to competitors.
This initiative should be led by your information security team. The core of this effort will be the creation of an enterprise-wide insider threats handling authority or insider data theft policy, which includes employee education.
Surprisingly, 72% of knowledge workers think the data they create and manage on the job belongs to them! Consider the idea of a painter hired to paint someone’s portrait. Obviously, that portrait would belong to the person who paid for it, even though the painter created it. Same with knowledge economy workers.
Customer lists, engineering designs, research findings and analysis and other data belong to the company, not the worker. Organizations need to start educating their employees regarding this.
Making this clear requires a formal, detailed, written policy on what data employees can take home or with them when they leave and what data must remain and what implies by data breaches. This policy should be part of new-hire on-boarding, security awareness training and employee off-boarding.
Next, make sure to develop indicators of insider threats and insider data compromise. These indicators will differ from organization to organization. The policy should include looking for signs of unusual activity such as an increase in data being transferred, accessing files outside of business hours, or attempts to rename intellectual property something innocuous, such as music or family photos.
While broad rules are important, it’s just as important to establish rules that focus on file types that are likely to have intellectual property enclosed. This can be CAD renderings for an architectural firm, while for a pharmaceutical company it can be years of drug research. Whatever it is for your business, make sure you can monitor the activity of these files.
Finally, build a data time machine. It’s a misconception that departing employees will steal data after they give notice or in the few days leading up to their last day. In fact, the thefts often occur much sooner – as early as the day they start to look for a new employer.
In our experience that many organizations don’t start monitoring employee use of data until after a staffer has given their notice or has been placed on some type of probationary period. This just isn’t good enough. It’s best to evaluate their actions going back months before they have given notice.
In fact, enterprises should create a process for insider threats evaluation and screening every time an employee is leaving employment, whether voluntary or not. This is a process the human resources department should initiate. Most companies have an employee on-boarding process, but few have similar processes for departing employees.
It is certainly something that needs to be addressed. The departing employee workflow should include not only things like the deprovisioning of access, but also an analysis of their data access activity. If suspicious file movement is detected, it should be referred to HR and/or legal to decide how to respond.
While many organizations make the mistake of focusing on the headlines that highlight sophisticated external attackers, they overlook the real risk created by their trusted insiders. Certainly, there’s no foolproof strategy to solve the insider threat problem.
The truth is, nothing will eliminate the risk entirely. However, putting into place a handful of known best practices regarding how to handle a situation when it comes to insider threats or data breaches caused by insiders can greatly mitigate the danger of the trusted insider.