As IT pros, we’ve been aware for quite some time that some users are a threat to security, whether by their use of shadow IT, their susceptibility to social engineering attacks from cybercriminals, or by using their employee role and access permissions to compromise data security.
In security terms, we call them ‘insider threats’ and they are much more difficult to defend against than remote attackers. Just ask the NSA, where contractors are hired to aid global surveillance programs and later leak details of them to the public via prominent newspapers.
In fact, Snowden and other whistle-blowers prompted NATO to analyze the problem, producing their Insider Threat Detection Study in 2018. It's an interesting 59 pages demonstrating the problem from a national cyber defense perspective. However, it’s only of partial benefit to those seeking to solve corporate insider threats. Other studies focus on this area.
One, which didn’t bring me to an annoying landing page where I must complete a form to access the report/survey, is Egress Software Technologies’ Insider Data Breach Survey 2019. It was carried out by an independent research company and included responses from a combo of more than 4,000 U.S. and UK-based IT leaders and employees. Key findings indicated that 95% of IT leaders admit that insider threats are a concern. On the employee side, 60% don’t believe the organization has exclusive ownership of data, 32% have no qualms about taking company information to a new job, and 29% believe they have ownership of data they work on.
Another study, BetterCloud’s State of Insider Threats in the Digital Workplace 2019, follows a similar trend, with survey data from 500 IT pros and more than 2,000 of BetterCloud's customers. 91% felt vulnerable to insider threats with top concerns being confidential business information (40%) followed by exposure of customer data (30%) and exposure of employee data (13%). 17% of those surveyed worried about exposure of intellectual property.
Therefore, we can conclude that protecting against remote attackers is only part of the security strategy. We must also protect against insiders who could steal data, secure in the knowledge that they are already on the network.
How can you protect your organization from employee data theft? What about trust, personal privacy, employee relations and human resources policies? Well, trust only goes so far, in my opinion and since I trust very few people, I’d recommend the same approach.
Motivations And Schedule Of A Data Thief
In my opinion, data thieves can be broken down into several categories, including but not limited to:
1. The Clueless
You know the type. They take up more support time than the rest of the office put together, clicking on every link and victim to every phishing attack. They are not malicious per se but seem to lack even the most basic security awareness. These are the same people who send attachments to the wrong people, disclosing profit margins and markups from cost to clients etc. They have no problem sharing company docs on public services or via chat and social media.
2. The Entrepreneur
These employees are planning to move to another company or start their own company. They generally start gathering company data in the time leading up to their resignation or during their notice period. On some occasions, in cases where IT fails to revoke all access permissions, they will continue to gather data using their active credentials on leaving the company. Whether it’s customer lists, document templates, manuals, policies and procedures are all fair game and a timesaver in a new company.
3. The Criminal
Motivated solely by financial gain, these users gather data to sell elsewhere.
4. The Disrupter
Motivated by revenge or malicious intent, such users delete or remove important data to disrupt operations. IT pros, if involved, often belong to this category as they have the permissions to cause some real damage before moving on.
5. The Crusader
Using company data to right a perceived wrong, whether this relates to hiring policies, health and safety or any other official documentation.
6. The Legal Expert
These users believe they have some claim on the work they produce in the workplace. Unfortunately for them, copyright law does not apply to projects completed at work and on company equipment.
Who Do You Trust?
The short answer is … no one. Even IT should never be controlled by one person, especially if that person leaves without providing all the necessary admin passwords for everything. In practice, not that IT are more trustworthy than anyone else, IT is generally a progressive career and being part of a deliberate insider breach is unlikely to lead to future gainful employment.
We live for puzzles, tracking down unusual activity and plugging security holes. Liberating data would just be too easy… Just don’t annoy us or we could cause some real damage. The only answer is to monitor employee activity, all employee activity, including IT.
The Threats and Possible Solutions
Consider the many ways we can share data in a digital workplace, how we can transfer between devices, take photos with smartphones, transfer to any number of cloud services, email, chat, VoIP and multiple storage options. You could FTP to your own site or upload to a free blog service for later retrieval. The options are practically endless, making data protection from insider threats very difficult. Current security practices often focus on external threats, with little emphasis on the activities of internal users. This flaw is now receiving more attention.
To protect your organization, consider all of the following solutions, each of which will reduce the risk of insider threats:
Companies must define their data governance policies and include their requirements in employee handbooks, as part of the hiring process. While privacy laws may vary by jurisdiction, your policies must include your expectation for data security, specifying exactly what is and isn’t permitted.
Consider an anonymous tip line where employees can report suspicious user activity.
3. Prevent Local Downloads
Block any system slots (USB, SD etc.) that could be used to transfer data to external devices.
4. Screen Recording Software
Consider using such software to capture user activity. Many will run without the user’s knowledge but some locations require disclosure according to privacy regulations. Such disclosure can in itself act as a deterrent.
A dirty acronym to say the least, introducing unnecessary risk that far outweighs the cost of company-owned devices. BYOD has its advocates but I see it as favoring companies. AND company-issued phones can be switched off when the working day ends…
6. Cloud and Social Media
Consider creating a whitelist for allowed sites to prevent unauthorized transfer.
Consider using thin clients or virtual desktops to prevent local system storage of data. Such a system means data can be accessed from any terminal, simplifying network rollout for new employees.
Block all free email services.
9. Personal Devices
In addition to BYOD, mentioned earlier, all personal devices should be prohibited in the workplace. This includes memory sticks and all forms of external storage, cameras and dictation devices. A photo of a document can easily be reconstructed using OCR technology, for example.
The Harsh Reality
Protecting against insider threats is a difficult task but software can perform much of the work, leveraging a variety of techniques, such as continuous adaptive risk and trust assessment (CARTA) or user and entity behavior analytics (UEBA) combined with analytics. OR you opt for employee monitoring software.
A lot will depend on your budget and the level of control you wish to have over user behavior. It’s certainly best not to blindly trust all employees but excessive monitoring can create employee resentment and impact productivity. Comparisons to Nazi Germany and Orwell’s 1984 could be made by argumentative employees, for example.
In conclusion, finding a balance is key. It’s certainly true that insider threats are possible and it’s best to protect the company. How you do it is your choice. Outline all data security expectations in advance and ensure that ALL employees are subject to the same conditions to avoid a class struggle between the drones and enlightened super beings we call management.
It’s a given that companies can install any monitoring solutions they wish on their own equipment and employees that think otherwise are dreaming. What do you think? How will you prevent employee data theft? Will you put practical solutions in place or introduce daily cavity searches and a fleet of drones to track employees’ activity when they leave the premises?