Effective cybersecurity and data protection are challenging. If you disagree, consider the number of large organisations with massive IT security teams and virtually limitless resources —companies that are household names around the world—that have made headlines as victims of a data breach. Organisations, regardless of size or industry, must defend against an expanding threat landscape while protecting an increasingly complex ecosystem of devices and infrastructure. As businesses struggle to fend off malware, ransomware, cryptojacking, and other external threats, they often ignore a simple—yet inconvenient—truth: the threat from the inside poses a significant risk as well.
Growing risk from insider threat
The threat landscape—both external and internal—is growing and evolving. AV-Test reports that there are more than 350,000 new malicious and potentially unwanted applications identified every day. The sheer volume of new threats and the constantly shifting threat landscape are overwhelming. Most businesses struggle to keep up with those external threats, while essentially ignoring the significant and growing threat from the inside.
According to the 2019 Verizon Data Breach Investigations Report, the percentage of data breaches by external sources declined 6 per cent over the past year. At the same time, data breaches caused by trusted insiders—whether intentional or inadvertent—rose from 25 per cent in 2017 to 34 per cent in 2018. Perhaps that explains why 90 per cent of those surveyed for the Insider Threat 2018 Report indicated that they feel vulnerable to insider attacks.
Consequences of insider data theft
Cyberattacks are—by definition—bad. No organisation wants to be hit with any sort of malware or compromise. However, not all attacks are created equal. Some are merely annoying or frustrating, while some can be disruptive and damaging. Data breaches—especially data breaches from insider threats—are particularly insidious because the stakes are exceptionally high.
Intellectual property and data often are the most valuable assets a company has. IP accounts for an estimated 70 per cent of the value of a publicly traded company in the form of the patents, trademarks, copyrights, and trade secrets that define it. That’s why insider threats are so dangerous: employees know how valuable the data is and they know how to access it. For seven out of 10 cases of IP theft, the damages exceed £81,000. In 50 per cent of the cases where IP is stolen, the cost of the data loss to the company exceeds £812,000.
It would be naïve to think this is not an issue for your company. According to Code42’s latest 2019 Global Data Exposure Report, 63 per cent of employees admit to taking data when they leave and bringing it to their new company. Seventy percent of IP theft happens in the month before an employee notifies the company they are leaving. For two-thirds of those employees, they believe that the IP will help them get their next job or can help them be successful once they start it.
Protecting data from the insider threat
The traditional data loss prevention approach is flawed and ineffective. According to our recent Global Data Exposure Report, 69 per cent of security leaders acknowledge that traditional DLP cannot stop insider threats. Traditional DLP relies on properly tagging and classifying data assets, which puts a significant burden on employees to understand and properly apply data classifications. It is also easily circumvented because an employee that wants to steal intellectual property can simply misclassify it intentionally to bypass detection. To be clear, classifying data has never worked.
DLP commonly stands for “data loss prevention,” but that is an impractical and unattainable goal. Steps should certainly be taken to prevent data loss or compromise whenever possible. However, organisations also need a more pragmatic and comprehensive approach that includes not only the assumption that data will be exposed or stolen, but also the tools and processes necessary to address that situation. Data loss prevention needs to be replaced with data loss protection.
The high value of intellectual property and the rising risk of data compromise by insider threats make it critical for organisations to implement a next-generation data loss protection strategy. Even in a best-case scenario, prevention only goes so far. No matter how many layers of defence you put in place, and no matter how effective they are, you still have to allow for the possibility that someone or something will slip through and that data can and will be stolen.
Rather than trying to categorise and tag sensitive data, businesses should assume all data is important, and instead focus on understanding what is happening with that data. There should be tools in place to log data movements so security teams can make reasonable judgments regarding whether or not that activity seems legitimate. Active monitoring with fast detection of potential data exposure or compromise and rapid response will help organisations protect themselves from data loss from insider threats.
Richard Agnew, VP EMEA, Code42