By Alan Brill
July 19, 2012
What are the biggest data security threats to your organization? Are they known, unknown or based on conjecture? Before you dismiss this last option, know that all organizations at one point or another find themselves making security decisions based on inaccurate or unconfirmed assumptions.
For instance, recent media attention given to hacktivism and computer hacking in general would make any organization think that data breaches never occur another way. Unfortunately, this myth allows one of the biggest threats to your organization’s data to stay completely under the radar. The threat is insiders - aka, your employees, contractors and trusted vendors.
Few organizations realize that insider threats continue to be among the largest sources of data breaches across all industries. According to Ponemon’s 2011 Cost of a Data Breach report, 39 percent of respondents who had experienced a breach indicated that it had been caused by a negligent insider, while 24 percent were attributed to system glitches, which could be either IT or business process failures, or both.
This stat alone should serve as a wake-up call to organizations everywhere. But, before you jump to any conclusions about how employees are interacting with your data, it’s important to get the facts straight. Consider the following top myths, truths and tips to mitigate insider threats at your organization.
1. Myth: The majority of internal data breaches are intentional.
Truth: Before images of plotting employees and conspiracies pop into your head, know that malicious intent is not the cause of the majority of insider breaches. In fact, more than 85 percent of internal breaches are the result of negligence, such as improper disposal of data or lost laptops.
Of the insider breaches that are publicly reported, those executed with malicious intent comprise only 15 percent.
Tactic: Negligence or error as a cause of breach occurs frequently because it is difficult for the organization to control. One of the best ways to mitigate this risk is through strong data privacy and security awareness training. Never assume that your employees come to the job with knowledge of data security - ensure that training is frequent and reflects roles-based access to data, explains legal obligations to protect information, and enjoys top-down commitment and real support from management. Apart from this, the organization’s IT department should also be implementing role-based access to data and stringent authentication measures, monitoring of employee access, as well as conventional means of protection such as encryption. Background screening will also help mitigate the risk from malicious insiders.
2. Myth: Insider threats are limited to the organization’s employees.
Truth: Insider threats also comprise contract workers, temps or employees working for third- party vendors. In fact, a recent Ponemon survey of IT practitioners found that third-party mistakes accounted for 32 percent of data breach incidents experienced in the past two years.
Tactic: Simply put, hold third parties to the same data security standards to which your organization must abide. Look beyond the contract details to ensure that they are actually following up on required data security steps. For instance, ensure vendors perform effective background checks and provide privacy and security awareness training programs for employees. Also, make sure you understand exactly how the vendor will use or process your sensitive information - particularly if they intend to share it with their subcontractors. If possible, perform an onsite review or audit.
3. Myth: Internal incidents are easier to resolve than external cyber attacks.
Truth: Malicious insider attacks take more time to resolve - 45.5 days on average - than any other type of cyber attack and rank among the costliest cyber crimes, according to Ponemon Institute’s Second Annual Cost of Cyber Crime Study.
Tactic: Internal malicious threats can be difficult to identify and resolve. If an employee is suspected of stealing data, there are many ways to go about doing this that are not easily detectable, such as using legitimate access to sensitive information in order to exfiltrate it. In such cases, a thorough investigation is often required, which means thorough record-keeping of employee activity will be vital to determining what was accessed or stolen. It’s important for companies to be vigilant and monitor data traffic through log analysis and access management, and to keep track of mobile device or external storage media use. Of course, utilizing appropriate background screening to identify criminal backgrounds or falsified applicant information is an important first step.
Alan Brill is senior managing director of Kroll Advisory Solutions, www.kroll.com. He consults with law firms and corporations on investigative issues relating to computers and digital technology, including the investigation of computer intrusions, Internet fraud, identity theft, misappropriation of intellectual property, cases of internal fraud, data theft, sabotage and computer security projects designed to prevent such events. He can be reached at [email protected].
