Best Practices for Safeguarding Sensitive Data from Malicious Insiders
The Australian Cyber Security Centre (CERT) responded to over 11,000 cybersecurity incidents in 2014. That’s more than 30 every day.
Although the cost of these data breaches varies, Australian organisations spent an average of $2.82 million AUD per data breach. That’s no small sum and is enough to put many SMBs out of business for good.
But here’s the scary thing. The majority of these attacks don’t come from heinous cyber attackers outside of a company. 60 percent are actually carried out from within. So in many cases, it’s the people you know and trust who are your biggest threats.
To say that this is a little disconcerting would be an understatement. But it’s nonetheless a fact that you should accept and adapt to.
With that being said, here’s how to create a viable strategy to safeguard your organisation’s sensitive data from malicious insiders.
Types of Insider Threats
Tripwire explains that malicious insiders typically fall into one of three categories.
- Privileged users – Individuals within your company whom you trust and have daily access to sensitive data.
- Third parties – This can include subcontractors, third-party vendors and even remote employees. They tend to have less access than privileged users but can still do damage.
- Terminated employees – They have taken in depth knowledge of your company with them and may still be able to gain access to key data.
It’s also helpful to understand the why behind internal attacks? What is it that motivates people to perpetrate these crimes?
Of course the reasoning can vary, but there are four core motives you’ll see most frequently.
- Profit – There’s an opportunity to either steal and sell the information or use it for personal gain. Seldom is there elaborate planning involved, and it tends to be more of a spur of the moment act.
- Revenge – This is common for disgruntled employees or those who have been recently terminated. It’s simply a way to get back at your organisation for a perceived injustice.
- Espionage – Although far less common, employees may be bribed or even blackmailed by competitors to obtain sensitive information so the competitor can use it against you or gain an advantage in some way.
- Future competition – In this scenario, a current employee may seek to obtain sensitive information so that they can use it later on after starting their own business. This could include your client list, customer information, vendor contacts, etc.
To adequately protect your data, you need to implement measures that address all three types of insider threats, while taking these four potential motives into consideration. The following strategies should help you do just that.
Perform Background Checks
A simple first step is to learn as much as you can about the history of a potential hire before you bring them on board. You need to know that giving an individual access to sensitive information won’t come back to haunt you.
Luckily, this has never been easier. You can start with a basic Google search of an individual to see what pops up.Exploring their social media profiles can provide you with additional information that sheds light on their character.
It’s also smart to contact previous employers from their reference list. They will be able to provide you with firsthand accounts of any prior issues that could be deemed as red flags.
Or you could use a paid service like PeopleCheck where you hire experts to conduct a formal background check. This will look at things like police history, court checks, etc.
A background check is an absolute must for privileged users where accessing sensitive data is necessary for their daily duties. It should also be considered for lower ranking employees as well as subcontractors and even remote employees.
Although this can’t guarantee that a new hire is 100 percent trustworthy, it’s a great starting point and should help you eliminate any high-risk candidates.
Create Data-Oriented Policies
Data regulation is crucial for maintaining control of your internal assets. So the next step is to develop policies that govern data access and usage.
Here are some examples.
- Formally outline the files, applications, devices and so on that individuals can have access to based on their position. For instance, a senior manager may have nearly unrestricted access, while a remote employee may only have access to a handful of software platforms that are legitimately needed to perform their job.
- Establish guidelines on internal file sharing. Does your accounting team need to share a folder containing critical customer financial data with your entire staff?
- Highlight what type of information individuals are allowed to share externally.
- Create restrictions on devices where individuals aren’t allowed to take laptops, tablets and smartphones out of the workplace.
For a policy to be effective, it must be enforced. Therefore, employees should have a full understanding of the consequences for failing to comply.
A minor first-time infraction could mean a simple warning, while a major-infraction or repeat offence could result in termination. In some cases, you may even need to result to litigation.
Regardless of the specifics, your policies as well as penalties should be clearly outlined and made available to new hires as well as existing employees. They should be contained within your employee handbook, and new hires should be briefed on the details during onboarding.
Set Access Limitations
Mitigating your risk is all about minimising your attack surface. As Tripwire points out, the fewer privileged employees you have, the safer your data will be. So you’ll really want to be diligent about deciding who has access to what information.
Security architecture expert Chuck Davis recommends first classifying data into at least three levels which include:
- Restricted – This is the most sensitive and should only be given to individuals who absolutely must have it.
- Confidential – This is moderately sensitive data and therefore poses a moderate risk if compromised. You still need to exercise caution, but there’s a bit more wiggle room when deciding which individuals can have access to it.
- Public – There’s virtually no risk if this data is compromised, so tight control is probably unnecessary.
From there, you’ll want to set access limitations accordingly. As a rule of thumb, don’t give anyone access to any more information than they truly need.
When it comes to admin accounts, be extremely selective because these individuals are almost guaranteed to have access to restricted data.
Log/Record Network Activity
The SANS Institute writes that implementing solutions to prevent unauthorised access or changes can be costly and inefficient. Many organisations simply don’t have the capital or manpower for this to be viable.
However, many companies have found that using detective controls that log or record access attempts and mark changes that are made to sensitive data to be an effective deterrent.
While this won’t stop a malicious insider attack outright, it does tend to keep people honest and greatly reduces the likelihood of an issue occurring. When everyone knows that their actions are being logged and recorded, this can go a long way in stamping out wrongful behaviour.
The only catch is that you’ll need to assign someone to routinely review network activity. Otherwise, it’s futile.
Remove Access of Terminated Employees
You could argue that terminated employees have the strongest motive of all for doing harm to your organisation. You’re especially at risk if they’re disgruntled and feel that they have been wronged in any way.
Even if they went out on the best of terms, there’s still an inherent risk.Therefore, you’ll want to take every precaution to prevent an incident from occurring once they’re released.
So what can you do?
Protecting yourself revolves around a three-step process:
- Begin by removing access from every system and software they previously accessed.
- Change passwords on external sites.
- Collect any company devices they used that contain sensitive data such as tablets, USBs and access cards.
Ideally, this will be done just prior to an employee being given the news. If you wait until afterward, it can jeopardise security.
While this may seem a bit callous, it’s absolutely crucial for protecting your company’s data assets.
Stopping Inside Jobs in Their Tracks
Data breaches pose a serious threat for Australian businesses. When compared to eight other countries including the US, UK and Japan, the Ponemon Institute found that Australia experienced the highest number of breached records in 2013 at 34,249.
The organisations that are hit not only face steep costs (the average notification costs alone are $88,000 AUD) but a major blow to their reputation and brand equity.
And as research has discovered, the biggest threat is often lurking from within in the form of malicious insiders.
Although there is no be-all end-all strategy that will make your company impervious to attacks, implementing the steps listed here should cover all of the angles. As long as you stay committed and proactive, you should be able to thwart any would-be insider attacks from happening.
How concerned are you about the potential for an insider job within your organisation? Please share your thoughts: