Data Privacy and Security

Overlook the insider threats at your peril

This is a contributed piece by Thomas Fischer, global security advocate at Digital Guardian


In the face of ongoing media hyperbole, you’d be forgiven for thinking the biggest cyber threats facing the global business sector today are advanced malware or state-backed hackers. But ask any security professional and they’ll tell you that the real threat is a lot closer to home.

Very recently, Verizon and Bupa, both globally recognisable brands, suffered significant data breaches affecting millions of customers. However, in both cases the perpetrator wasn’t a sinister external entity, but an insider with authorised access to sensitive data. In Bupa’s case, a disgruntled worker deliberately leaked more than half a million customer records online. For Verizon, it was a partner’s simple configuration error that subsequently exposed more than six million customers’ personal information.


Businesses still too fixated on outsider threats

The challenge with the insider threat is that it is multifaceted and complex to protect against. Internal employees, contractors and other third parties often need access to resources in order to get the job done. This means that it is far more difficult to protect against malicious and accidental actions that can put this data in harm’s way. Even though the threat is clear, the vast majority of businesses are still burying their heads in the sand when it comes to insiders.

In a recent survey conducted at the BSides London security event, 71% of security professionals said they felt that businesses should be more concerned about insider threats than they currently are. Furthermore, 47% of respondents went as far as saying insider threats and uneducated users are the most overlooked security threat facing businesses today. Almost half of the security professionals felt that the most overhyped threats are those posed by nation states such as North Korea and Russia.

Despite the concern from security professionals about the insider threat, 92% of respondents to the survey acknowledged that the industry as a whole is still deploying far more resources towards tackling external threats. This ‘castle and moat’ approach to cyber security has been around for years, with vendors offering more and more layers of perimeter defence to help build the walls higher and the moat deeper. But what use are these defences when the threat is already inside?

In the case of Verizon’s recent breach, a third party – who was migrating customer data to a new cloud storage area – simply set the storage access incorrectly, allowing external access by mistake. If the insider threat was seen as a real risk, it would be taken far more seriously. But this doesn’t seem to be the case in most boardrooms. In the BSides London survey, only 9% of security professionals said they felt that senior management in their business is making good decisions around security strategy and spending.


Two ways to lower the risk posed by insider threats

Like so many security issues, it doesn’t always require a huge financial investment to significantly reduce the insider threat. Strategic investments in two key areas can make a large difference:

  1. Education and awareness: The most effective defence against accidental insider threats is comprehensive education and awareness training. The vast majority of accidental data breaches occur when employees are simply unaware of the consequences of their actions. Providing regular training on data security helps to reduce instances of carelessness and ensure that employees think before acting whenever sensitive data is involved. As part of this, regular refreshers should be provided to keep employees informed of any new data process or technology being implemented.
  2. A more data-centric approach to security: Unfortunately, not all insider threats are unintentional. As illustrated by Bupa’s recent data breach, sometimes employees know exactly what they’re doing. In these instances, an additional layer of technology can help to stop sensitive data being leaked. When education and awareness fails, security teams need to be able to understand and visualise how data is being used, so that they can quickly see unusual activity that might indicate data is at risk. Adding to this, automatic policies around access and even preventing employees from copying, transferring or deleting sensitive data can help prevent data loss.

Despite a growing body of evidence about the risks that insider threats pose to modern businesses, those who hold the purse strings of security spend remain stubbornly fixated on the perimeter. While this is a source of increasing frustration amongst security professionals, the good news is that it doesn’t take a huge investment to significantly boost protection against insider threats. Strategic spending on education and awareness, combined with data-aware technologies, can help to deter even the most malicious or careless employees, ensuring sensitive data remains firmly out of the wrong hands.


« FireEye: 'Insecure data is the new asbestos'


Can real-time updates protect our connected cars? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?