Are your worst cyber enemies already lurking inside your organisation? According to a string of recent internal data breaches – FDIC and now Sage – they just might be. In fact, the 2016 Insider Threat Spotlight Report found that 56 per cent of cybersecurity professionals said insider security incidents and attacks have become more frequent in the last year.
With 74 per cent of organisations feeling vulnerable to these threats, the Sage data breach highlights the true risk company insiders pose. It also points to several lessons organisations can learn about crafting employee security permissions and access level to sensitive data. With this in mind, here are insights from Dana Simberkoff, Chief Compliance and Risk Officer at AvePoint, on what went wrong in Sage’s case and how companies can fight off insider threats in the future.
ITPP: What issues caused this data breach?
DS: While the specifics of the Sage data breach have not been fully disclosed, it appears that an insider may have used their privileged access to take action (inappropriate access to sensitive client data).
ITPP: What are the possible repercussions of the recent data breach Sage suffered?
DS: Because of the sensitive nature of the data Sage holds, this breach could lead to a loss of trust between the company and its clients. This type of data breach along with new requirements under the European Union General Data Protection Regulation (GDPR) for mandatory data breach notification will also continue to erode consumer confidence in the security of their data with the companies they trust to hold it.
Further, depending on the steps that Sage had taken to prevent this type of issue from happening, they could be subject to further action from the UK Information Commissioners Office.
ITPP: Does the Sage data breach reaffirm that insider threats are on the rise? If so, why?
DS: Insider threats are on the rise because attackers usually don’t get in by cracking some impenetrable control. They look for weak points, like trusting employees. Bank robber Willie Sutton reputedly said when asked why he robbed banks, it’s “because that’s where the money is.”
The more valuable the data is that your company holds, the more you are at risk. This is why it is incredibly important to truly understand the data you hold and to protect it according to its value and your risk.
ITPP: What pitfalls make organisations the most vulnerable to insider threats and potential internal data breaches?
DS: Only by understanding the data you hold can you effectively protect it. Monitoring for potential hacks and exploits is now as commonplace as virus scanning, but this may lead some organisations to improperly rely on their existing scanning technologies – forgetting that most costly breaches come from simple failures and not from attacker ingenuity.
Many organisations make the mistake of focusing their data protection strategies on keeping the outsider out of their systems, but in fact many breaches come from an attacker who is already inside. Either intentional or unintentional, insiders cause the greatest threat to your data protection program – but fortunately this is the type of threat you can do most to alleviate. As a general rule, employees should be given the least amount of access/privilege possible to allow them to do their job.
Unfortunately, overburdened IT administrators tend to work in the opposite way, giving users excessive access so that they do not sink under the burden of excessive workloads.
At the same time, it’s important to remember that innocent actors themselves may represent some of our weakest security links. In the absence of security education, we are finding that employees, users, and customers naturally make poor security decisions with technology. This means that systems need to be easy to use securely and difficult to use insecurely.
This is a critical point and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end users to do the right thing rather than the wrong thing.
ITPP: What can organisations learn from the Sage data breach?
DS: The Sage data breach can teach us a lot about how important it is to have structure when it comes to data storage and security. Using a combined or layered approach to data classification can ensure that the policies, training, and tools you are providing are being properly understood and integrated into the day-to-day tasks of your work force. Identity and access management is a part of a layered approach to preventing a Sage-like situation.
However, it’s one of only several tools that organisations need to use. Data protection should focus first on understanding the data your organisation holds, and then making decisions about where it should live, who can access it, and how it needs to be protected. User-based controls can then be layered in along with other controls for data centric audit and protection. HR should also play a critical role in ensuring that employees are not intentionally or inadvertently provided with too much access to data.
This access should be monitored during an employee’s entire time with the company, but also when they are dealing with highly sensitive information. So trust your end users to appropriately identify and classify the sensitive data they are handling and/or creating, but verify that they are doing so.
ITP: How can organisations craft better employee security permissions and access level to sensitive data?
DS: In order to have a holistic and effective data privacy and security program, you must understand that there simply is no such thing as perfect security. Instead, you must adopt a risk-based approach to implementing your data protection program. While that often starts with the legal and compliance team and ends with the Chief Information Security Officer (CISO), it also needs to focus on a day in the life of your everyday business user.
Organisations must start by making it easier for business users to do the right thing. They also must make it easy and attractive for employees to use approved company systems to do their jobs. At the same time, they must both trust and verify that they are doing so. They should consider a policy that requires all company data to be scanned, tagged, and classified, so that it cannot possibly be intermingled with or inadvertently removed from a company system by a departing employee.
As a general rule, employees should be given the least amount of access necessary in order for them to do their job and access should be regularly reviewed and reaffirmed. For example, if an employee is working on a time limited project that requires particular access or permissions, those permissions should be tied to the length of the project only and should be revoked as soon as appropriate.
Finally, by tagging and classifying corporate data, organisations can then effectively layer in other security and data protection controls that direct and contain that data within appropriate systems and with appropriate identity management and access controls.
ITPP: What is HR's role in preventing data breaches?
DS: HR and IT are joint partners – along with security, privacy, risk, and compliance team – in working with the business to prevent a Sage-like situation from occurring. A good program starts with continuous and ongoing education of your employees. This education cannot be a once a year training course, but rather it must be pervasive throughout the culture of your company.
Dana Simberkoff is the Chief Compliance and Risk Officer at AvePoint.
Image source: Shutterstock/BeeBright