The insider threat to information security and privacy has gained international attention in light of the National Security Agency data leak in which former government contractor Edward Snowden shared information regarding the NSA's PRISM program with news media. The ethical implications of Snowden's actions (and even the NSA's program) are still in debate, but one thing has been made quite clear: Even users with authorized access can create risk. It is also important to note that it is not just organizations like the NSA that can be affected by such an issue. Companies of all sizes have data that needs to be protected from theft, loss and other disasters, making it essential to rethink IT strategy from a more comprehensive risk perspective.
How big is the insider threat?
First, it's important to understand that addressing the insider threat is not just about guarding against malicious activity. Not every employee wants to steal corporate information for profit. However, even users with the best intentions can inadvertently mishandle or lose sensitive data. For example, 62 percent of respondents in a Symantec survey believed that it is acceptable to transfer business documents to their personal devices and the majority of those never delete that data. Furthermore, 40 percent said they planned to use confidential data after leaving the workplace.
"Companies cannot focus their defenses solely on external attackers and malicious insiders who plan to sell stolen IP for monetary gain," said Lawrence Bruhmuller, vice president of engineering and product management at Symantec. "The everyday employee, who takes confidential corporate data without a second thought because he doesn't understand it's wrong, can be just as damaging to an organization."
Symantec's data suggests that much of the insider threat comes from a poor understanding of what best practices and what is acceptable. This highlights the need for more effective policies that guide employees behavior in regard to how business data is handled. A recent Dark Reading article written by Assero Security CEO Doug Landoll highlighted two areas in particular that SMBs could focus on to help prevent insider data breaches.
"SMB insiders can reveal confidential information, subvert security controls, and introduce malicious code into the network, but these misbehaving employees are not always malicious, and their behavior is not always illegal," Landoll wrote. "Therefore, it is important to implement appropriate security policies to guide the well-meaning employee away from dangerous behavior and to formally document unacceptable behaviors in which sanctions may be applied for those intentionally damaging the company."
It may seem obvious, but the first step in protecting valuable information is understanding just how sensitive that data is. Data classification involves outlining multiple categories and then dividing information into various tiers based on sensitivity. For example, organizations may decide that information such as payment card data and Social Security numbers is "highly sensitive," giving the highest level of protection to information in this category. As Landoll noted, a data classification scheme should include policies for identifying and labeling, transmission, processing as well as storage.
Once a strategy for categorizing data has been created, it is important that employees understand how to appropriately handle such information. For example, a business may decide that only data in the lowest risk tier can be stored on personal devices. In addition to communicating when policies are first created, companies must ensure they have a strategy for telling employees when changes occur. Landoll outlined four items that acceptable use policies should cover: prohibited items, prohibited behaviors, expected behaviors and notifications.
Security, compliance and risk, oh my!
The problem that many SMBs face is that IT security is typically interconnected with multiple disciplines. Small teams may have expertise in one aspect, while lacking in another. This means that it will likely be beneficial to form a comprehensive IT Risk Management strategy that addresses information security, compliance and risk. There are several components to an effective risk management program, including:
- An evaluation of current practices and technical solutions
- Development of an ITRM strategy that prioritizes risk based on urgency
- A corporate culture focused on awareness and accountability
- Continued evaluation to measure the effectiveness of the organizations ITRM practices
The point about corporate culture is particularly important in light of the highly collaborative nature of business today. It may be tempting to take short cuts with third-party contractors, since most contract organizations have their own policies. However, it is essential that any classification schemes and acceptable use policies be communicated to anyone working with corporate data whether someone is an employee or working for a partner.
Organizations of all sizes can likely benefit from a more thorough and more frequent analysis of their existing IT risk management programs. In addition to evolving technology, new compliance mandates can make current policies outdated. As a result, it is important that such evaluations have the multidisciplinary expertise required to assess compliance and security standing as well as how overall risk can be reduced.
To learn how MFT can support your IT security, enjoy our complimentary on-demand webinar below: