Martin Sugden, CEO, Boldon James, considers how to manage insider threats to data security
At the start of the year the Ponemon Institute launched the 2020 Cost of Insider Threats Global Report. The report highlighted the number of cybersecurity incidents caused by insiders increased by a whopping 47% since 2018. This meant the average annual cost of insider threats had also skyrocketed in only two years, rising 31% to £12.20 million.
Whilst the term “insider threat” can seem malicious, the report highlighted insider incidents are more likely to be caused by negligent employees or contractors. The report supported the trend by showcasing the root cause of most incidents (63 percent) was by negligent insiders. The total figure showed a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.
Non accountable behaviours
Whilst there are various type of insider threats; malicious insiders often seek financial gain or look for revenge. Unintentional insider threats, on the other hand, are more well-meaning but are no less dangerous. These employees will more likely fall victim to social engineering techniques or phishing emails.
Ignorance forms a key issue when it comes to employees handling data. Many of these individuals were never trained on their personal responsibility over company data, and have little knowledge of the company’s security practices. As such, they are highly susceptible to threats mentioned above.
Why they are dangerous?
Apart from the economic factor, these threats are hard to identify, and an operational disaster. Identifying these threats internally can be troublesome, since insider threats already have access to the network with authorised credentials, their access does not flag on a traditional monitoring system. They often already have access to sensitive data, awareness of the existing security measures in place and how to get around them. Combine this all with a lack of visibility into user access and data activity, the difficulty of identifying threat actors is incredibly challenging.
Mitigating the threat
One of the best ways an organisation can combat this issue is by fulfilling their compliance obligations through the adoption of a Privacy by Design approach. This is an approach that takes privacy into account throughout the whole process, ensuring that a business’s systems, policies and processes and technologies is accounted for. Privacy by Design needs to start with data classification. The sheer volume of unstructured data within organisation, combined with the ever-increasing technical abilities of hackers and the fallibility of employees, makes it impossible to rely on people and processes alone to ensure that sensitive data is handled appropriately. Data classification embeds a culture of compliance by involving users to identify, manage and control the sensitive data they work with, while automating parts of the protection process to enforce rules and policies consistently. Data is classified at source so the organisation’s rules can be applied at the outset.
An organisations first step is to understand what data they have, who is using it, how it is being stored, classified and shared, and whether it is company-sensitive; this is key to any data protection strategy. Once the organisation has defined what data it has, the next step is to classify it. Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When a classification is applied, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label. This means the organisation would need to define its classification policy first and decide who should have access to each type of data. Once this is done, the next step will be to select an appropriate classification tool; the right technology will help users to consistently apply the classification scheme with ease. The most effective tools make classification a seamless part of business-as-usual. Once data is appropriately classified, security tools such as Data Loss Prevention (DLP), policy-based email encryption, access control and data governance tools are exponentially more effective, as they can access the information provided by the classification label and metadata that tells them how data should be managed and protected.
With the increase of regulation and its impact on business liability, organisations will need to invest in technology and policies that will help them to respond to, and prevent, insider threats from moving out externally. This will mean organisations would be able to identify what data has left their network, and how to prevent data leaving in the future by looking for similar information on all other data.