Companies are reporting sharp increases in data loss spurred by remote and hybrid work. How is this occurring with all the security measures and tools enterprises have in place? Insider privilege abuse and data mishandling are cited in multiple reports as growing causes of data breaches and incidents outside of hacking and external threats. Read on to discover the top 10 ways insiders are contributing to data loss in your organization and how to prevent data loss and mishandling in the first place.
The Top 10 Insider Data Loss Causes
Data breaches and security incidents are no longer just the domain of hackers. The uptick in collaboration tools and remote work has spurred a new threat vector – your trusted insiders.
According to the definitions in the 2020 Data Breach Investigations Report, a security incident refers to a violation that compromises the integrity, confidentiality, or availability of an information asset. A data breach is an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
Just how is insider data loss occurring? According to a study by IBM, employee or contractor negligence (64%) is the lead cause of most insider incidents, followed by criminal, malicious users stealing information for personal gain (23%) and credential theft, a.k.a. imposter risk (14%).
Here are a few of the top insider data loss causes cited by various reports:
- Personal Information (PI) sent to the wrong recipient (email, mail or other)
PI being sent to the wrong recipient is a top cause of data loss that has been exacerbated by all of the different communication and collaboration channels in the modern workplace: multiple enterprise document management systems (e.g., SharePoint, OneDrive, Google Docs, Box, Dropbox, etc.), email, enterprise chat tools (Microsoft Teams, Slack, etc.). It’s far too easy to send a sensitive file to the wrong internal user or someone outside of the organization, simply by picking the wrong name from a list.
- Unauthorized disclosure (unintended release or publication)
The unauthorised disclosure of sensitive information in either paper documents or online documents falls under ‘human error’ breaches. For example, several notable breaches have been caused by documents with personal information being mistakenly uploaded and exposed on an organisation’s public website.
- File uploads to personal cloud storage services (shadow IT)
Transferring company documents and files to a personal storage service in the cloud means that the data in question is now only protected by the security measures of the cloud storage service it has been copied to. It’s often not on par with the required level of security, nor does corporate IT have visibility into data stored on personal cloud storage accounts, making ‘shadow IT’ a huge headache and security risk for organizations.
- Unauthorized disclosure (failure to redact)
Failing to properly remove or redact information in a document, such as personal information, before releasing / sharing it is another top cause of negligent data breaches.
- Printing sensitive information (wrong printer, at home)
Another common data breach source is printed documents. Printing sensitive information on the wrong printer that a colleague who shouldn’t be privy to that information accidentally picks up, printing at home and not shredding documents with sensitive info before throwing it in the trash, or leaving a confidential printout on the train or an airplane can easily lead to a data breach.
- Viewing sensitive data in a public place (café, airport/airplane, etc.)
Sensitive data being accessed from a public place on an unsecured wi-fi is a problem as the workplace has become mobile. Any person in a public setting can view information over your shoulder and take advantage of it. The other significant risk stems from the fact that public wi-fi connections are not secure and can be prone to hacking and theft from a malicious actor.
- Copying sensitive files and/or IP to USB drives
Using USB drives to share sensitive information or intellectual property (IP) is an easy way to transfer data, but it creates a massive security risk if the USB drive is misplaced or stolen – leaving the sensitive information stored on it at the mercy of whoever finds it. Not to mention a convenient way for a malicious employee to discreetly carry your IP and sensitive data out the door.
- Saving sensitive data to home office network attached storage
With remote work and BYOD policies, users saving sensitive information to a personal device is commonplace and a big security risk. Home devices and networks are often far more vulnerable environments than company-sanctioned tools and environments leaving data at risk.
- Taking a photo or screenshot of sensitive information and/or IP
Despite all the security we put around our data to stop unauthorized access and theft, the easiest way for malicious users to bypass that security is to simply snap a photo of the information on their phone.
- Employee/user credential theft (imposter risk)
A third party gaining access to an employee’s user credentials is a commonly exploited hacking tactic. Once a bad actor is able to gain access to systems and data using the stolen credentials, they have the access needed to infiltrate systems and look for valuable data to steal. This type of breach takes much longer to identify and remediate since it’s difficult to discern legitimate user actions from suspicious ones.
It is easy to see a pattern here; most of the top insider data loss causes are a result of negligence or carelessness of the employees or contractors. A smaller percentage of insider incidents are caused by malicious users whose main goal is to steal data.
What can an organization do to protect themselves against insider data loss?
How to Stop the Top 10 Data Loss Scenarios
Collaboration is essential to business. The key is to balance collaboration with adequate security. To do this, organizations need to assess what data an employee needs access to in order to do their job. But it doesn’t stop there. They also need to determine what a user should be able to do with that data if they are granted access to it to stop negligence, misuse and loss.
1. Answer These Key Data Access & Handling Questions
- Where is sensitive data stored? One or many repositories?
- Who has access to company sensitive data? Should they?
- If they should, then what should they be able to do with it?
- Should they be able to edit it, or should it be read-only access?
- Should they be able to print it? Save it? Copy and paste it?
- What about sharing or emailing it? With whom?
- How should documents be shared?
- Can they email an attachment, or should you force them to share a link to a secure sharing site?
- Do you need to audit sensitive data access and handling?
2. Adopt a Proactive, Zero Trust Security Posture
While companies identify data security and applications as some of their biggest areas of concern, many are still relying on user training and reactive, behavior monitoring and perimeter-based technologies to protect them from this new threat vector – trusted employees with legitimate access to applications and systems.
While these technologies serve an important purpose, they don’t address application and data security, data handling and compliance risks – and simple human error. To effectively protect against these risks a new, proactive approach is needed.
The good news is a modern and more effective methodology already exists. The concept of “Zero Trust” in security has been around for a number of years. Simply put, the Zero Trust approach dictates that you must verify and validate each action, every time, in context, to the level needed to meet the desired level of confidence for a decision: “Trust nothing implicitly, and verify everything you can, every time you can.”
Zero Trust comes down to verifying and validating each step, each action, and each element needed in order to satisfy the underlying needs – whatever they are.
3. Trade in RBAC for ABAC
The traditional approach to data security relies on Role Based Access Control or RBAC. This is where network access is restricted based on a person’s role within an organization. The user’s role determines which permissions the system grants to the user. Users are only allowed to access the information and perform actions necessary to carry out their duties.
Attribute-based Access Control, or ABAC is a newer, more dynamic security methodology based on the combination of User, Environmental and Resource Attributes. It evaluates the attributes of a user, their security clearance (or role), their location, the device they are using, as well as the sensitivity level of the document they are trying to access to approve or deny access. It offers more granular and contextual security.
For example, when working in the office, you should be able to access documents, make changes to them, print copies, copy text and images, etc. But if you’re in a coffee shop on Wi-Fi and where other patrons will likely have a clear view of your monitor, access can be denied or limited to a read only view because the environment is not considered secure.
Pairing a data-centric zero trust security approach enforced by ABAC ensures appropriate checks and balances are enforced, and that they are relevant to the sensitivity of the data – in the context of whatever the access or sharing scenario is.
Want to adopt proactive data security that stops data loss and delivers benefits rapidly?
archTIS offers zero trust ABAC-powered data access and protection solutions that provide immediate benefits and return on investment, while empowering secure collaboration. Contact us to get a conversation started.