Reports of data protection fails against insiders, compromised cybersecurity and data breaches are becoming more frequent, even at large corporations and the government. But these events are not all the same. You can analyze them and, by classifying the data breaches based on how they happened, you can develop effective countermeasures.
One way data breaches occur is when companies make mistakes such as leaving credit card data unencrypted. Trinity Maxwell writes about 16 companies who experienced credit card data breaches. You can fix such lapses by defining and following effective security procedures to encrypt them. Another cause of data breaches is external hacking. Network World reports on the biggest data breaches of 2015. When your perimeter protection and network security has holes, hackers can access your data. A solution is to tighten up restrictions on external access to your network and add more perimeter protection.
Another major reason for data breaches is insider action. The FBI has published a brochure discussing insider threat issues. Such data breaches can be extremely serious and they can go on for extended periods without anyone detecting them. Insiders are people who have had or still have authorized access to your data. It’s not the access that’s the problem – it’s what they do with the data once they have it. To identify insider threats to your organization, you first have to define the threats and identify the ones relevant for the protection of your data.
Who Are the Insiders?
If you have employees who work with sensitive data belonging to your organization, you have insider threats. But insiders are not limited to employees. Your IT department may be giving out user names and passwords to your network for external technical support. Contractors and consultants working with your company information may have authorized access. Your cloud services supplier probably needs access to data you store in the cloud and former employees and support personnel may still be able access your data for some time after they leave the company.
While you can screen and monitor your own employees, a typical organization has given authorized access to many non-employees, some of whom the organization may not even know. Cloud service providers encrypt your data while it is in transit from your servers to the cloud, but it is often decrypted on the cloud servers so it can be stored in structured databases and processed. Technicians unknown to you must have access to these servers for repair and maintenance and will often be able to see your data. The vast majority of all these insiders don’t pose a threat but you have to be able to identify where potential threats exist and which people might pose an insider threat.
What Threats Can Come From Insiders
Insider threats can result in serious legal and regulatory complications for your organization and some actions can hurt a company’s competitive advantages. When a data breach exposes personal data of employees or customers, the costs of addressing potential damages can be large. Other threats are sabotage, fraud and data theft, each of which has specific implications depending on the data your organization handles regularly.
Even companies that don’t store financial, personal or health data are vulnerable. An insider can access the bid you are preparing for a major contract and leak it to the competition. A disgruntled employee could delete or scramble business databases before he leaves. A salesman could book an order, collect a down payment from a customer and then disappear. A consultant could download results from research you have been carrying out and start his own business using the data.
In a separate category, espionage can be carried out by insiders. Such threats are either executed for foreign governments or for other business interests. Both foreign governments and competitors might be interested in proprietary drawings, information, operating manuals and technical details of innovative products for which your organization has data. The threats from espionage often come from external individuals that persuade insiders to carry out the data theft. Such threats are especially difficult to identify because the insiders in question were originally ordinary employees or other authorized personnel who became corrupted by the external agent.
What Motivates Insiders to Carry Out Data Breaches
Insiders leak valuable data for a variety of reasons. An article on Lancope.com details possible insider motivations. Financial considerations are a major motivation, either because the insider has money problems or because they are tempted by an unexpected windfall. Disgruntled employees or employees who have lost their job may want to damage the organization. The motivation for espionage can be financial but it may also be patriotic or ideological, if the insider has links to foreign countries. Such motivations are important clues for helping to find potential insider threats.
Insider Threat Identification
To identify the sources of potential insider threats, you have to look at two different groups of insiders. Your own employees may be a source of insider threats but you can screen potential hires and you have a record of normal employee behavior. Other insiders, such as consultants or contractors, may be insider threats but you often know little or nothing about them. Identifying individuals who may pose a threat within these two groups requires differing strategies.
For your own employees, the principal way you can identify a potential insider threat is to monitor behavior. If your security checks and pre-employment evaluations were accurate, an employee who is at risk of becoming a threat will normally engage in unusual behavior compared to his pre-risk profile. Typical unusual behavior might include starting to work odd hours without a specific reason, accessing organization data while sick or on vacation, taking sudden and frequent trips abroad, starting to make extensive “backup” copies of files and exhibiting stress from personal problems with money, drugs, family or alcoholism. Employees showing several of such signs may be at risk of becoming an insider threat.
For non-employees, you have much less information to permit insider threat identification. A key tool is to monitor data access. If a technician is troubleshooting the network or a consultant is working with employee data, their accessing a customer database would be unusual. Tracking their work and what they have viewed will help you identify insiders who have an interest in data that does not concern them. Such monitoring can help you detect insider threats from non-employees.
Once you have identified potential sources of insider threats, you can take measures for additional data protection where warranted. But before you can implement specific cybersecurity aimed at particular insider threats, you have to identify the insiders at risk and their possible targets by looking at behavior, monitoring data access and examining potential motivations.
Identify potential insider threats is very difficult, you need additional data security to help prevent data breaches. Data protection centered on sensitive information can prevent insiders from seeing the data even if they have accessed it. Implementing such data-centric protection can allow you to put in place a comprehensive data security strategy.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
