An increasing number of organisations are shifting their focus towards insider threat protection, which is hardly surprising given that the Ponemon Institute reported 3,269 insider incidents in the past year. According to a recent study by Kaspersky Lab, 52% of businesses admit that their own employees present the greatest risk to the integrity of their IT security posture. A data breach caused by a malicious insider can happen to anyone – regardless of how big their budget is.
For example, earlier this year, Elon Musk sent an email to all employees announcing that an employee was “making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties”.
While some progress has been made in the field of insider threat protection, it has been slow to say the least. A large percentage of organisations are still underestimating the damage that can be caused by single member of staff – whether former or current, malicious or negligent. The motives behind malicious insider attacks range from employees who are feeling frustrated, ostracised, neglected or unfairly treated – to those seeking financial gain through selling employee/customer data, intellectual property, or any other sensitive business information.
Of course, not all insider threats are malicious. Some are caused by a lack of technical knowledge, a failure to adhere to company policies in an attempt to cut corners, accessing sensitive data on an unsecure public Wi-Fi network, or misplacing a device that either stores or has access to sensitive company data. The question remains, how can DCAP (Data-Centric Audit & Protection) solutions help to identify and mitigate the very real threat from within?
Discovery and Classification of Sensitive Data
Most sophisticated DCAP solutions provide automated tools to help you discover and classify your sensitive data. Such tools will not only make it easier to locate your sensitive data, but also setup the necessary access controls to protect it. Recent research we undertook at GITEX in Dubai suggested that over 70% of enterprise organizations have more than 100,000 folders open to every employee. Obviously, having unrestricted access to such large amounts of data is a recipe for disaster.
Enforcing “Least Privilege” Access
Employees should only be granted access to the resources they need to be able to adequately perform their duties. Once access permissions have been setup and assigned, organisations will need to implement some sort of DCAP solution to detect unauthorised changes made to these permissions. Likewise, a DCAP solution can detect, alert, report and respond to any type of suspicious file/folder activity, including unauthorised access to privileged mailbox accounts.
Monitoring and Managing Inactive User Accounts
Inactive user accounts – also referred to as “ghost” accounts – present a major security risk for organisations when they are not managed in a systematic and timely manner. For example, should an employee leave an organisation on bad terms, and their account is still active, they may login to the network in an attempt to copy or delete sensitive data. Most sophisticated DCAP solutions can automate the process of managing inactive user accounts.
Monitoring Suspicious Out-Of-Hours Activity
Should you find an employee logging onto your network during times that do not correlate with their typical usage pattern, this may indicate that something suspicious is taking place. A DCAP solution can be setup to monitor typical usage patterns, and fire an alert should this pattern change, for whatever reason.
Preventing the Spread of Ransomware
When a company falls victim to a ransomware attack, it is typically the result of a careless employee who either downloaded an email attachment, or clicked on a link to a malicious website, which in turn lead to the execution of the ransomware application. While DCAP solutions are unable to prevent them from doing this, they do provide a feature known as “threshold alerting”, which can help prevent the attack from spreading.
At the end of the day, if you don’t know what data you have, where it resides, who has access to it, and how it is being accessed, the chances of keeping your sensitive data out of the wrong hands, is pretty much zero.