Today’s most damaging security threats aren’t limited to malicious outsiders or malware but from a company’s trusted insiders with access to sensitive information. A recent report from Cybersecurity Insiders looked at what companies believe are the drivers for insider attacks. The top answer – lack of user training. The solution to the problem most cited – more user training. While employees need access to sensitive information to do their job, organizations need a plan to make sure their own people are not the cause of a data breach – both malicious insiders and negligent insiders. However, more training alone isn’t the answer – training backed by automated enforcement is.
A closer examination of contributing factors and prevention methods
Here’s a quick look at the facts around insider attacks according to the 2019 Insider Threat Report:
- 56% of organizations surveyed believe the most critical factor enabling insider attacks is the lack of employee awareness and training.
- On the flip side, the most utilized tactic in combating insider threats, 51%, is user training to address both inadvertent insider threats due to human error as well as recognizing unusual and suspicious behavior often exhibited by malicious insiders.
- Those survey also cited a lack of training and expertise (58%) as the key barrier to better insider threat management, in addition to the lack of collaboration among departments (57%) and lack of budget (52%).
There’s one common thread here: a lack of or need for more user training.
Why more user training simply isn’t enough
The facts clearly illustrate that simply relying on data governance and security policies to safeguard the organization from insider attacks puts you in precarious security position. No one can guarantee that every person in your organization who has access to sensitive information will follow the rules – no matter how much training they receive.
There is concrete evidence that a large percentage of breaches are caused by employees accidentally or maliciously mishandling sensitive customer, patient or corporate information against policy. The Insider Threat Report also revealed that 70% of organizations observed that insider attacks have become more frequent over the last 12 months. And 60% have experienced one or more insider attacks within the last 12 months. The results closely mirror McKinsey’s findings that insider threats are present in 50% of breaches reported in a recent study.
Adding to the complexity is the sheer number of communication channels that exist in today’s digital world making it difficult for users to remember the rules for every situation and communication medium.
It can happen in any setting, and it can happen to you. So, what steps can you take to protect the business?
Protect Your Content and Your People
For starters, why are organization’s only relying on user training when technology exists to protect data in any circumstance? Education has its place especially when it comes to protecting against outside threats from hackers like phishing attacks. And educating users on data sharing polices is important for them to understand the rules around collaboration, but it’s just one step you should be taking to protect your data.
Just as organizations depend on security technology to protect them from a myriad of outside threats, the right technology is also invaluable to protect data from within; from malicious insiders look to profit from data theft to innocent slips of the mouse that result in a headline making data breach.
You should look to protect your data and users (arguably your next most valuable asset) by:
- Auditing Data and Access: To start, identify where all your data currently exists within the various data repositories and tools used to store it. You also need to ensure only authorized personnel have access to sensitive information.
- Classifying and Securing Data: Once you’ve reviewed who should have access to sensitive information, you should look to automate the process of classifying documents according to their sensitivity level. Don’t just rely on folder or database security methods, the best course of action is to use data-centric security that both applies both classification and security to the individual document to restrict access and apply restrictions on what actions can be performed (print, save, email, etc.) based on its classification level. Extremely sensitive content should also be encrypted to ensure it remains protected if it makes its way out of the organization – intentionally or not.
- Addressing Changing Risk Profiles: Today’s data isn’t static, it’s constantly being collaborated on and changing. Look at data on a continuous basis to account for how information and its associated access attributes and user context change over time, then adjust its security accordingly. Assess the risk profile associated with the data and its use cases, then consider the security that should be applied in each scenario.
- Balancing Security with Collaboration: Keep the right balance between what users want from a collaboration perspective and what the organization demands from a security perspective. Go too far in either direction and you can make your situation worse. Too lax and your data can be shared far too freely. Too stringent and your users find an alternative way to share and collaborate. In either situation you lose visibility and control of your sensitive data.
Training Backed by Automated Enforcement is Essential to Data Protection
They key to remember here is automation in the form of data-centric security is your friend. These measures will help prevent insider attacks while ensuring the authorized users can access information to get their jobs done without bypassing security protocols to do so. In today’s modern workplace solely relying on people to follow data security and sharing protocols is not only outdated it can seriously impact the safety of your sensitive data.