Cybersecurity strategies traditionally secure the company network against outsider interference. However, as a new wave of data protection laws swept the globe, organizations became legally liable for the protection of sensitive data not only from external threats, but also internal ones.
According to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, 23% of all data breaches are caused by human error, while 17% of malicious attacks are due to employees targeted by phishing and social engineering attacks and a further 7% by malicious insiders.
Not only that, but breaches caused by insiders have increased by a staggering 47% in the last two years, with the average cost of a data breach caused by an insider reaching $11.45 million/breach in 2020.
Insider threats can be separated into three major categories based on their root cause: negligence, malice or gullibility.
The first category refers to employees who are careless in the way they handle sensitive data and can unintentionally leave it exposed or vulnerable to a breach. The second concerns disgruntled insiders who might attempt to steal data to sell it or make it public or take data with them when they move on to their next place of employment. The last category refers to employees that can be easily manipulated by malicious outsiders, inadvertently granting them access to a company network or work computer.
When it comes to insiders however, companies cannot apply the same strategies as they do to external threats as employees need access to the company network and sensitive data to perform their daily tasks. What can organizations then do to address these insider threats? Here are four important steps to take.
1. Educate employees
The cornerstone of any good data security strategy starts with educating employees. In many cases, they are unaware of the laws or regulatory requirements related to their work or the steps they need to take at all times to ensure the security of data on work devices.
Training can be especially effective in the case of phishing and social engineering attacks. Once employees know how to identify malicious emails targeting them and their credentials and how to handle and report them, they are better prepared in the eventuality of an actual attack.
2. Monitor sensitive data
Data monitoring is an easy way for companies to understand vulnerabilities in their data flow or to check whether their security policies are being applied effectively. This can be done through data-centric security solutions such as Data Loss Prevention (DLP) tools.
DLP solutions allow companies to monitor and control sensitive data through predefined and customizable policies. Through them, organizations can easily track the movements of sensitive data across the company network. They can discover data exit points or employees that may be bypassing security policies to simplify their tasks.
Monitoring can also help companies with employee training. By identifying frequent mistake patterns, organizations can build efficient training exercises focused on known risks. Monitoring can also highlight which employees require further training and which do not, allowing companies to prioritize education for the right people and save money.
3. Control sensitive data
The term human error gives a wrong impression of what employee negligence really means. It is easy to imagine someone sending an email to the wrong person or uploading a document on a public facing website by mistake. However, human error is not only accidents, but also means employees using unauthorized services and applications as they discharge their duties. These services can include popular messaging applications, file sharing websites, cloud services or virtual coworking spaces.
Companies after all do not normally know exactly what services each employee uses to perform their tasks. There are ways to restrict the websites employees can access and the software they can install and use, but there is a risk of failing to identify them all and hurting employee productivity in the process.
One way to address these insider threats is to apply security policies directly to sensitive data. This can be done through DLP solutions like Endpoint Protector that not only monitor, but can also control how sensitive data is transferred and used by employees. In this way, companies can prevent sensitive data from being accidentally or intentionally transferred through potentially vulnerable third-party services.
4. Protect data on the move
The moment a device leaves the security of the company network, the data on it becomes vulnerable to theft or loss. This is true not only for computers, but also removable devices on which sensitive data may have been copied such as USBs. Encryption is an effective tool in case of theft. When a device is stolen, if the hard drive or the sensitive content on it is encrypted, the data is useless without a decryption key.
Companies must also ensure that any security policies applied to a device in the office are still active when it is taken outside it. This is especially important in the case of remote work where companies cannot control the security of a home environment and unauthorized individuals can access work devices. For both compliance and security reasons, data protection must be continuous whether a device is in the office or at home, logged into the company network or not connected to the internet at all.