For many of us, the term “data breach” conjures up images of a shadowy character in a dark hoodie — a nefarious criminal. But the more we understand about how data breach incidents originate and propagate, the more likely we are to shift focus from outsider hackers to insider threats. Insider threats can be malicious, but often they are accidental. Rather than a shadowy scoundrel, your greater security risk might very well be Alice in the accounting department, who absentmindedly leaves her laptop on the bus.
No organization, including tech and social media companies, is immune to a data breach resulting from ignorant or malicious behavior of employees or business partners. Earlier in 2016, a payroll department employee at Snapchat received a spear-phishing email that appeared to be from Snapchat Chief Executive Evan Spiegel. The employee replied to the email, inadvertently sending sensitive personal information on about 700 current and former workers to an outside party.
In order to avoid being the subject of the next data breach story in the headlines, corporate leaders must take three key steps. First, they must understand the nature of insider threats. With that knowledge, they must support policies and procedures to deter and detect insider threats. Most importantly, they must actively build a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data.
Corporate leaders must understand the nature of insider threats and play a critical role in building a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data. Developing such strategies at the C-level ensures that every employee in every business unit understands the risks, and that data security principles and practices are uniform across the organization, not just the onus of IT and senior knowledge workers.
#1 Recognize Potential Insider Threats in Your Organization
According to the 2016 Data Security Incident Response Report issued by Baker & Hostetler LLP, approximately 37% of security incidents arise due to employee negligence or human error, with another 31% stemming from phishing/hacking/malware attacks.
An insider is someone who has authorized access to an organization’s network, system or data; this could be an on-site or remote employee, business partner or contract worker. There are three categories of insiders who present the greatest risk of breach, outlined below.
An exploited insider may be a victim of phishing, baiting or other scams. This is typically an innocent user, as in the Snapchat case, who is misled into providing data or passwords or who is enticed to click a link or visit a website that may install malware such as keystroke loggers.
A careless insider may change or delete data through lack of attention to detail or policy. These users, as the name suggests, simply make thoughtless errors without awareness of the impact. Examples of careless insiders include moving data to unprotected locations or storing data via unsecured tools, such as flash drives, Dropbox, or even moving company data through personal email accounts.
Not surprisingly, a survey of over 500 cybersecurity professionals by Crowd Research Partners — Spotlight Report on Insider Threats — notes that privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations (60%), followed by contractors and consultants (57%), along with regular employees (51%).
A malicious insider is someone who intentionally destroys or leaks data, often with nefarious goals:
- Monetizing sensitive data, for example, selling customer lists or financial plans.
- Fraud: A perpetrator of fraud engages in activities that are designed to defraud, misappropriate property or funds or circumvent the regulations, law or policies of a company.
- Sabotage or Revenge: For example, an angry former employee seeks to take out frustrations on an old boss or others who wronged him or her during tenure at the organization.
- Whistleblowing: Insiders revealing information or documents to support accusations of internal mismanagement or threats of retaliation potentially resulting in internal investigations or litigation.
- Hacktivism: The practice of loosely organized hacker groups who attack government or corporate entities to draw attention to social or political causes.
#2 Prioritize the Use of New Tools and Technology to Reduce Insider Threats
While the proliferation of mobile devices, cloud applications and portable data technologies may increase the general risk of insider attacks, the good news is that there has been a corresponding rise in the emergence of tools and technologies to help monitor activity to prevent or identify insider threats. Board room discussions increasingly focus — as they should — on three primary approaches to avoid, identify, and address the impact of insider threats: deterrence, detection and analysis.
Under the category of deterrence, some of the key procedural and technology controls that can be utilized include identity management, access control, encryption and security policies. The goal here is to prevent a breach before it happens.
First and foremost, every organization should inventory and monitor all assets provided to employees and contractors. This allows an organization to know where its data is, who is using a given device, ensure each devices is returned at the point of separation and prevent assets from falling into the wrong hands.
Every employee and contractor should have unique login credentials. This prevents users from employing a generic login to perform malicious or careless acts, and employers can trace the source of a threat or breach back to the source.
Whole disk encryption on all devices ensures that any laptop or device that is lost or stolen will not allow those who possess the device to access sensitive or proprietary data contained therein. Mobile devices should employ mobile device management applications that allow for encryption of company data and remote wipe of lost/stolen devices.
An organization should only provide access to systems and applications that are necessary for an employee/contractor to perform his/her specific function and complete assigned tasks.
Detection involves processes and tools that allow information security teams to monitor login activity, flag unusual activity and identify intrusion. Data loss prevention (DLP) tools and forensic tools similar to those used in the e-discovery process can also be employed to identify bad actors or those who have improperly stored or transmitted proprietary data. For more, see, “Can User Behavior Analytics Do a Better Job of Protecting Your Organization’s Data?,” in this issue.
DLP tools allow for the creation of rules as to how an organization expects data to be handled, communicated and stored. If a user goes outside the bounds of these rules, data is quarantined and an alert is generated that can be reviewed by IT or information security teams.
Forensic tools and natural language processing tools can contribute to more effective approaches to identifying insider threats or even curbing opportunities for related employee action. These tools are also used during the e-discovery process or as part of internal investigations that leverage the common language of data and systems and consider a number of varied techniques from different disciplines when investigating an incident. These are described in the paper titled “Increased C-Suite Recognition of Insider Threats through Modern Technological and Strategic Mechanisms,” by Amie Taal, Jenny Le and James Sherer.
Analysis involves the use of tools that analyze traffic patterns, active processes, email patterns or content to tracking file movement across the network. This is often a key element in successful enterprise information security strategies. Threat analytics adds a measure of safety with tools for employee monitoring, Web filtering, mobile monitoring and laptop anti-theft tools, among others.
#3 Increase Efforts on Security Education and Cultural Change
Like most solutions to complex enterprise challenges, there is a process component to mitigating insider threats. As in most cases, technology goes hand-in-hand with education and culture, and success is built over time by raising awareness among all employees and educating them on security threats as well as expectations around recognizing and preventing such incidents.
The Insider Threat Spotlight Report referenced earlier revealed that the single largest factor in the rise of insider attacks is a lack of employee training and awareness (62%). Insufficient data protection strategies and solutions (57%) and the proliferation of sensitive data moving outside the firewall on mobile devices (54%) are again named as sources for why insider threats are on the rise.
Understanding where threats arise and educating employees on how to avoid common pitfalls will result in a reduction in the number of exploited and careless insiders, which have traditionally been the largest segments of insider threats. Education involves ongoing training, reinforcement of policy and proper procedures, as well as efforts to develop a culture of good data stewardship.
Insider Threat Reduction Starts at the Top
Cyber threats come in many forms, and the insider threat posed by employees, contractors and partners is one that organizations face most frequently. Protection against insider threats belongs not only to IT and security management, but to the entire management team, across all operational areas of a company or organization. Security tools and technologies are constantly improving in support of these efforts, but in the end, successful reduction of insider threat risk hinges on the ability of senior leadership to develop standardized processes and provide education and communication across the enterprise. By example and through education, C-suite executives can create a culture of trusted insiders who take responsibility for secure data management to reduce insider threats.
***** Sam Chi is SVP, Discovery Services at FRONTEO and oversees complex engagements and provides consultation to FRONTEO USA clients on every phase of electronic discovery including data preservation, collections, early case assessment, hosting, review and productions. Chi has extensive experience consulting with Am Law 100 Firms and Fortune 100 clients on every phase of e-discovery across a variety of litigation focuses from regulatory matters to patent litigation, and on multijurisdictional cases spanning the United States, Europe and Asia. He can be reached at SChi@FRONTEO.com.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.