Organizations spend a lot of time, money, and effort trying to protect themselves and their data against hackers, cybercriminals, and other external threats. But internal threats pose just as big a risk if not more so. Employees typically possess the necessary access and ability to steal data, trigger malware by opening the wrong link or file attachment, and share files using third-party programs and social media rather than official company software. Released on Thursday, Code42’s 2019 Data Exposure Report highlights the threats posed by insiders and offers some recommendations on how businesses can better protect themselves from their own employees.
SEE: IT leader’s guide to reducing insider security threats (TechRepublic Premium)
Based on a survey of 1,028 information security leaders as well as 615 business decision-makers, this year’s Data Exposure Report found that employees often use their own personal accounts to share company data. Specifically, 43% of the business decision-makers said they use personal email to share company files, while 31% said they use social media platforms such as Facebook and Twitter.
Phishing emails are a dangerous threat to any organization. All it takes is one wrong click to download a piece of malware that can infect a computer and spread throughout an entire network. Despite the risks, employees still have a tendency to click before they think. Among the business decision-makers surveyed, 49% admitted to having clicked on a link that they shouldn’t have or didn’t intend to. Perhaps more surprisingly, 43% of the IT decision makers polled admitted to the same mistake.
Data breaches can certainly be caused by outside factors, such as hackers. But they can just as easily or more easily be triggered by employees, even if accidentally. Among the 38% of companies that said they were hit by a data breach over the past 18 months, half of them pointed to employee actions as the cause. In contrast, around 45% cited third parties as the source of the breach, while around 25% placed the blame on external actors such as cybercriminals.
Further, the survey found that employees sometimes operate however they see fit to best accomplish their work. A full 77% of the information security leaders surveyed said that the most significant risk to an organization is employees doing their jobs however they want with no regard to data security protocols or rules.
Departing employees can often represent a greater threat to an organization than can existing workers. That may be especially true of employees who don’t leave on good terms. With large flash drives and cloud services readily accessible, sending or carrying data beyond the confines of the company is a quick and easy process. Some 63% of respondents admitted to bringing data from past employers to new companies, while 38% believe their colleagues have done the same thing.
Further, many employees feel entitled to personal ownership of the work they do for a company. Around 72% of the respondents either strongly or slightly agree with the notion that “It’s not just corporate data, it’s my work and my ideas.”
Information security leaders are certainly aware of the potential hazards of insiders and have taken steps to mitigate the risk. Some 69% of organizations that suffered a data breach due to an insider threat said they did have a prevention solution in place at the time. As a result, 78% of the information security leaders acknowledged that their prevention strategies and solutions aren’t sufficient to stop insider threats, including those with traditional data loss prevention (DLP) tools.
“We’re seeing companies empower their employees without the proper security programs in place, leaving companies in a heightened state of risk,” Jadee Hanson, CISO and vice president of information systems of Code42, said in a press release. “In addition to enforcing awareness trainings, implementing data loss protection technologies and adding data protection measures to on- and off-boarding processes, organizations should not delay in launching transparent, cross-functional insider threat programs. Insider threats are real. Failing to act will only result in increasingly catastrophic data loss and breaches.”
To help organizations better protect themselves against insider threats, Code42 offered the following recommendations in its report:
- Security teams must evolve their data loss protection strategies and think beyond prevention – prevention solutions aren’t enough to stop insider threat.
- When prevention methods fail, security teams must detect, investigate, and respond to data leak, loss, and theft as quickly as possible.
- Focus on the data – it’s imperative to know where data lives, who has access to it, and when and what data leaves so that security teams can protect it across endpoints and cloud.
- Invest in a next-gen data loss protection solution. This is the only way to truly mitigate the growing and evolving impact of insider threats.
Code42 CEO Joe Payne added to the report’s recommendations with some advice of his own.
“Companies looking for advice to better manage insider threat should think about a combination of processes and technologies,” Payne said. “On the process side, a number of fundamentals need to be ticked off any list:
- First, be transparent about your insider threat program. Telling employees about your program will deter far more internal risks to data than a covert insider threat program will. To achieve transparency, define, share, and regularly reinforce your protocols around data use and ownership. Then, automate acknowledgment of those protocols.
- Take the simple step of displaying a standard login banner that reminds users they are accessing a private computing facility where work they create belongs to the organization. Knowledge workers too often feel entitled to the work they create when really the work belongs to the company. A painter wouldn’t expect to own the portrait you’ve commissioned him to paint. He knows you’ll be hanging it on your wall as soon as he completes the masterpiece. This same concept applies to knowledge workers.
- Hold regular security awareness and training sessions to build muscle memory and reinforce the right types of behavior. Partner with employees and show them exactly how to properly gain permission to take some data, like their personal contacts, with them when they leave.
- Put in new technology that focuses on detecting anomalous file movements – not blocking it – and handles both cloud and non-cloud data. This technology can flag when employees abuse the trust that has been placed in them. At the same time, a technology solution should allow sharing of documents and collaboration while putting in checks so that egregious actions can be investigated.
- Most companies lack a process for protecting against data exfiltration during off-boarding. The number one indicator that someone might take data? A resignation. All people who leave an organization should be reviewed to ensure that they are not taking critical company data – or that they didn’t take data in the weeks before they resigned. Organizations should treat data like any other asset that needs to be collected. Most companies collect access badges, laptops, and other hardware, but do nothing to collect data. For many of today’s most innovative companies, data is the most valuable asset they have. If they’re not collecting their data, it’s a huge miss.”