The media is abuzz with coverage of the Facebook Whistleblower. If you think that there’s no lessons to be learned for your organization – think again. Before leaving Facebook, Frances Haugen copied thousands of confidential documents and shared them with regulators, members of Congress and the Wall Street Journal. While you may not be worried about your company’s ethics, from an information security perspective the theft of other types of sensitive documents could be equally damaging to your organization if they were downloaded by an employee and shared with the world: Intellectual Property (IP), M&A, Financials, customer information, legal documents, etc.
This type of security incident is known as an insider threat. It is caused by a user with authorized access to your systems – employees, contractors, and guests –negligently shared data with the wrong party, misused it, maliciously stole it, or, as in Haugen’s case, steals it for what they perceive is the greater good. Here’s 5 information security take-aways from the Facebook Whistleblower to help protect your organization from insider threats.
1. Unrestricted Insider Access Poses Serious Risks
Regardless of where you stand on the issue, Haugen’s unfettered access to sensitive documents stored on the company network enabled her to access, download and leak them.
Yes, your employees need access to your systems and the data behind them to do their jobs, but they should not have unlimited access to your company documents. In a 60 Minutes interview Haugen said she was surprised at the volume and sensitivity of the data she was able to access as a regular user, even those intended for CEO Mark Zuckerberg himself.
This isn’t an isolated incident. Remember Edward Snowden? He was essentially able to download sensitive documents and share them with WikiLeaks. While 63% of insider-related incidents are the result of negligence and simple human error, a hefty 23% are related to criminal insiders. Social justice aside, Tesla recently sued a former employee for allegedly stealing 26,000 confidential files in his first week and transferred them to his personal Dropbox account. IP theft is very real problem for organizations, costing companies billions of dollars every year.
What these incidents underscore is the need for organizations to seriously look at their data access, usage and sharing practices and policies to combat insider threats, a problem compounded by the volume of remote and hybrid workers.
2. Key Data Access and Handling Questions You Should be Asking
Organizations need to assess what data an employee needs to access do their job. But it doesn’t stop there. They also need to determine what a user should be able to do with that data if they are granted access to it.
The key questions your IT and information security teams should be asking include:
- Who has access to company sensitive data? And should they?
- If they, should, then what should they be able to do with it?
- Should they be able to edit it, or should it be ready only access?
- Should they be able to print it? Save it? Copy and paste it?
- What about sharing or emailing it? With whom?
- How should documents be shared? Can they email an attachment or should you force them to share a link to a secure sharing site?
Once you’ve answered these questions you need to have a plan in place to enforce data handling policies. According to a study, organizations rely on user training (51%), information security governance programs (41%), user activity monitoring (36%), background checks (36%), and native OS security features (20%).
3. Proactive Information Security is Better than Reactive
While all these measures are important, you also need to look at proactive measures in to prevent data loss, mistakes and misuse in the first place.
Solving the problems posed by insider threats requires a different information security approach altogether. Traditional informational security is designed to focus predominantly on outside threats like hackers or unauthorized user access and as we have seen is no longer enough. SIEMS, SOARs and other solutions are reactive and don’t do anything to prevent the initial loss of data—they are focused on the analyzing actions of the attacker and not on the data. Re-purposing tools created to detect threats from outside is not sufficient to provide the level of proactive data security required to battle the types of threats that come from the inside. Insider threats are harder and take longer to detect even with all these tools in place. Extending zero trust to information security provides a solution.
4. Consider Zero Trust Information Security
A data-centric policy-based approach based on ‘Zero Trust’ is a far more effective methodology to ensure data is accessed by only authorized insiders and remains secure. This modern approach does not automatically trust any user inside or outside your perimeters. Instead, you must verify anyone trying to connect to any systems, applications, or individual data files before granting access to them.
This zero trust approach can be extended to data using Attribute-based access control (ABAC), a data-centric security model that evaluates attributes (or characteristics of data, environment and users), rather than user roles, to determine access. This approach assesses each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well as edit, download and share files.
It gives organizations granular control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if a user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device from home, file access will be denied.
5. Modern Security Needs to Protect from Within
Today organizations must assume they will be compromised by a bad actor, negligent employee or even a disgruntled employee in the case of Facebook Whistleblower. We can no longer afford to settle for after the fact detection and user behavior analysis to detect an insider breach, an approach that attempts to limit rather than prevent damage. Or worse, discovering a breach by making the national news.
A Zero Trust information security approach that extends access and sharing controls to the file level can help proactively ensure your business-critical data is accessed, used and shared according to your policies to prevent both negligent and malicious data loss.
NC Protect can help you easily implement zero trust information security with advanced ABAC-based information access and protection that’s simple, fast and scalable for your Microsoft 365 apps and Windows File Shares.