Technology is a powerful tool in assuring the confidentiality, availability and integrity of your critical data – but it is no failsafe. Even the best of breed technology deployed in a layer approach (defense in depth) will have flaws. The most well meaning and resourced organizations fundamentally fail at securing their valuable information. Often, the most overlooked weakness is the employee themselves. These employees can often be an unacknowledged risk to your organizations information security due to malicious, negligent, accidental actions they engage in. Most organizations assume that their employees are trustworthy and non-malicious. Fact is some are honest, others simply don’t know to engage in secure computing and others still are purposefully malicious (criminally minded.) The insider threat is real. A recent studies on insider threat shows quite a dire picture:
- A recent study by Protenus showed 450 data breach incidents reported to the U.S. Department of Health and Human Services (HSS) in 2016; that’s more than one health data breach per day for the entire year, and these breaches resulted in 27 million patient records. If this trend continues, 2017 will see an average of at least one breach per day.
- Ever more alarming in this report was that 43% of the 2016 health data breaches were a result of insiders.
Although this study is in the healthcare field it is emblematic of overall trends in insider threats. It should give organizations pause that their own employees are a major threat to their very survival. Rather than instill fear it should bring to awareness the efforts needed to mitigate this risk. Here are a things that can be done to mitigate the insider threat:
Security Awareness Training
We have written consistently about the value of security awareness training for your internal employees. Employees can either be an asset that aid in protecting your vital data or a risk. Security awareness training can help them understand what is expected of them. This training will lessen the negligent and accidental actions of a previously untrained staff. For those that may have an inclination to engage in criminal activity targeted at their employer, training can help them understand the steps taken to safeguard company data, ongoing monitoring and the criminal and civil penalties they will face should they break the rules. Fear of being caught may provide some deterrence. The added win of security awareness training is that honest law abiding personnel are better equip to deal with today’s malware (phishing, ransomware, social engineering, etc.) threats.
Data Loss Prevention is a set of technologies that detect data breaches and exfiltration (sending data to 3rd party). These technologies can monitor and control data at in-use, in-motion and at rest. DLP can do all of this in an automated way. A malicious insider might attempt to copy a database of PII (protected health information) or IP (intellectual property) and email it to a 3rd party. A DPL solution would block said transfer and prevent data exfiltration. While no technology is foolproof, DLP solutions go a long way in reducing risks.
The biggest issue for most organizations is assuming risk assessments are a one time thing. Many IT organizations don’t view it as an ongoing process. When properly executed as a matter of annual (or more) risk assessment organizations are more likely to uncover risks that show themselves via an ongoing process. Risks can then be categorized, ranked and mitigated as needed. Ongoing risk assessments can be a powerful asset in reducing insider threats among others.
Risks can be avoided, accepted or transferred. Cybersecurity allows for an organization to transfer the risk to some degree. Cybersecurity insurance is designed to mitigate losses from a variety of security incidents such as data breaches, business interruption and network outages (to name a few). This insurance allows the organization to strategically address some risks it may not be able to foresee or justify addressing financially upfront. Cyber insurance can be a great way to address the insider threat without breaking the bank.
No single approach alone is ever enough to address insider threats. Like most other threats an integrated approach is required to mitigate risk. No single technology, process or policy will eliminate the risks of insider threats. A integrated holistic approach will however reduce this threat. Often the human threat is the greatest of all. It requires of us to use an integrated approach to address its multifaceted nature.