Most companies have already hunkered down to prevent hackers from stealing proprietary data. Their security teams have almost certainly installed powerful firewalls. Some companies may have acquired robust security systems to protect themselves against ransomware, the malicious code that cyber criminals use to encrypt your data and hold it hostage until you pay a hefty ransom.
The trouble is, there’s a far greater threat to your company’s data from people inside your organization.
“In general, the greatest data security risk is posed to organizations by insiders,” Joseph Steinberg, an entrepreneur and cybersecurity authority, wrote in a Digital Guardian blog post. “If they want to steal it or leak it, they can usually do so with far greater ease than outsiders.” As Steinberg notes, insiders “have access to sensitive information on a regular basis, and may know how that information is protected.”
Some breaches and leaks by insiders are done with malicious intent—for personal gain or to satisfy a grudge. But research suggests that most of these insider incidents—87 percent, by one estimate—are caused by human error. This might include carelessly attaching the wrong file to a message or e-mail, misplacing a USB drive or a laptop, or sharing a file (via e-mail or social media) with the wrong people. Unfamiliarity with company security rules is at the root of threats to data in 82 percent of cases. And just as calamitous, if unintentional, is clicking on malware by mistake through phishing or some other attempts to penetrate a company’s system.
Our own research reveals that each year, the average organization has nearly four incidents of insider leakage—that is, some kind of unauthorized transfer of data outside a company’s IT system. Those leaks are expensive. According to another recent study by Ponemon Institute, insiders cost the average organization $16.3 million a year—12 times as much as the damage caused by outsiders.
So, how does your company defend itself from insider leaks?
A firewall, as I’ve noted above, may stop a lot of hackers from getting inside. But suppose it’s calibrated to let outbound e-mails get through? It does nothing to prevent an insider with the right authentication credentials from tapping into sensitive, confidential company data and passing it to others on the outside.
Training employees about cyber security and the rules (and potential punishments) of access and handling of data can cut down on unauthorized use by insiders. Those who unintentionally commit breaches and leaks can learn how to recognize and avoid phishing and other nefarious means by which outsiders trick their way inside. Even employees with malicious intent may be deterred through education, if they know they will be prosecuted for leaking data.
Segmenting information is another necessary precaution. Not everyone in your organization needs access to all data files. You can minimize leakage by insiders by strictly both data and network access according to a strict, need-to-know basis.
Now suppose you could curtail data leaks from insiders by anticipating illicit actions? Such tools now exist. As cybersecurity expert, author and speaker Derek A. Smith, CISSP, discussed in a recent whitepaper, How UEBA Reduces the Threat of Insider Data Leakage, user and entity behavior analytics (UEBA) follow a well-documented principle from psychology that a person’s behavior and language patterns present a clear window on what he or she is really thinking. The software actively profiles every user in an organization and, by comparing real-time behavior and linguistic patterns with an already-established baseline, it looks for anomalies that suggest unwarranted or illegitimate activities.
“If an employee becomes disgruntled at being passed over for a promotion or begins to chafe under the new department manager’s leadership style,” Smith wrote, “That negative frame of mind will be evident in quantifiable changes in the language used in emails and instant messages.”
That person almost invariably gives himself away in linguistic patterns that differ from the normal tenor and tone of his communication. In another instance, an individual who plans to leak data may suddenly change her normal schedule, arriving unusually early or staying atypically late—a change in behavior picked up by UEBA. Perhaps a disgruntled employee will avenge himself by putting your valuable, private data at risk.
Coupling UEBA with user activity monitoring (UAM) can help pinpoint and shut down insider threats. UAM software provides an unobtrusive way to keep an eye on employees’ activities real-time, without interrupting their work. You can see, for example, if someone is downloading data he doesn’t normally use or is simultaneously logging onto your company’s IT system from two or distinct locations. When an action puts an organization’s data in peril, a UAM system can notify designated response teams to inform the user of the inappropriate action. Working together, UEBA and UAM enable a company to:
- Analyze an employee’s actions and patterns of behavior;
- Detect whether anomalous behavior pose an actual threat;
- Prioritize its reactions to the incident; and
- Respond in the most appropriate ways.
As long as organizations have employees, there will always be threats from within, from both well-intentioned and rogue individuals. The best way to squelch data leaks is to recognize the signs—and stop them before they happen.
Stephen Voorhees is a CISSP and Senior Sales Engineer at Veriato, which provides user and entity behavior analytics and user activity monitoring software.
