When knowledge is the best defense
Cyber security education with data loss prevention technologies can help stop the insider threat
There was a time when the average CSO’s top priority was to build a fortified wall around the company network. Lock hackers out, hold data in. Patch and reinforce continuously to keep systems, users, and IP safe.
Not anymore. In today’s security environment some of the most pernicious cyber threats are already inside the perimeter fence.
Hear ‘insider threat’ and you might assume we’re talking about rogue employees; cyber moles motivated by greed, malice or revenge to steal sensitive information, sabotage IT systems, or corrupt important data. But just as worrying is the damage done by employees unintentionally – through acts of simple negligence or careless error.
The Ponemon Institute estimates that data security breaches caused by insiders can cost the average business as much as $8.7 million per year. With the threat growing in both scale and complexity, it’s no surprise that more and more businesses are looking to their own people as a way to better protect systems and data.
The danger within
While Snowden-level events tend to drive discussion around insider threats, breaches enabled by negligent employees and suppliers actually pose the more persistent risk. With their access to systems and facilities, insiders have the power to steal IP, disrupt operations, damage reputation, and expose sensitive information to third parties.
Managing cybersecurity’s human element is a significant challenge. People make mistakes. One department can detect odd behavior on the network and fail to inform others. The number of ways data exfiltration can occur is expanding, and that multiplies the potential for both accidental and malicious breaches.
With the insider threat growing in both scale and complexity, it’s no surprise that more and more organizations are looking to create a culture of cybersecurity at work. Re-thinking how security training programs are structured and delivered has to be a cornerstone of that effort.
What can be done?
The first step to addressing insider threats is to evaluate how switched-on current employees are to cyber risks, and understand where the gaps are.
The next will be to obtain staff buy-in for new policies that encourage risk-aware behavior, through a programme of positive training and coaching. Better training is key to tackling the intentional and unintentional types of insider threat, both to make staff aware of their own actions and sensitize them to signals indicating adverse behavior in others.
In order to be effective however, any training program has to take into account the diversity of human motivations. That can start by classifying the main categories of insider threat.
Insider threat categories:
- First are criminal acts by malicious insiders who steal data or commit other destructive acts for personal gain or financial reward. A Gartner study found that more than 60 percent of criminal insiders saw the activity as a kind of ‘side hustle’ to supplement their income.
- Next are breaches caused by negligence. These are the most common, and also the most difficult to catch. Employees appear to be secure in their behavior and by following company policy, but accidentally cause a breach. This could include clicking a phishing link, or keeping proprietary data on insecure personal devices.
- The third type of insider threat is the Disgruntled employee who seeks to steal sensitive information, damage systems, or corrupt data. The Gartner study found that, on average, 30 percent of employees took competitive information when leaving one job to start another.
- Finally, there are the non-responders to security training, a small but meaningful percentage of the workforce. While these employees may not exhibit negative behaviors, they are a serious concern as they can fall into consistent patterns of negligence.
Creating a culture of security awareness
To minimize the impact of insider threats, employees have to be aware of the behaviors that indicate a breach, but also know exactly what kinds of data are sensitive and who should have access to them. Simply putting employees through a classroom course, having them sign a form, then calling the task complete yields very little of value.
Training has to be fortified with knowledge and systems that can re-enforce the value of company and customer information on a daily basis as part of an employee’s daily duties. While staff training can help minimize accidental or negligent breaches, for the disgruntled or malicious insider, organisations should consider the added measure of security solutions like content-aware discovery, which uses proprietary machine learning and artificial intelligence tools to accurately find, categorize and protect sensitive data based on corporate policy.
That can be backed up with data loss prevention (DLP) technologies that recognize when valuable data assets are being transmitted out of the organisation, either via email, the network, cloud or endpoints – even getting around attempts to hide sensitive files inside other file formats.
Harvard Business Review has said creating a culture of security awareness is the best cyber security investment a business can make.
With the frequency of insider incidents on the rise, training and new technologies designed to address insider threats have to be the foundation of security awareness programs. Embedding personal cyber sensitivity in staff and suppliers will go a long way to mitigating and containing incidents.
Would you like to know more about DLP solutions from GTB? Why not get in touch with us today?