It is common knowledge that a data breach can have a severe impact on an organisation’s reputation. But contrary to what many people may believe, employees within your organisation may pose a bigger threat to the business than the highly trained hackers whom we usually envision stealing data. It is the people we have on our payroll who may pose the biggest risk to data loss.
Although we beat the drum fairly regularly here at Imperva, many business leaders are failing to adequately grasp the scope of threats posed to them by careless, compromised, or malicious insiders. They’re either wilfully or blissfully ignorant to the fact they have at least one insider threat who has the potential to cause significant damage to their business.
These insider threats often aren’t intentionally malicious either, as in many cases they simply don’t understand the inherent risks of sharing or accessing sensitive data. They may not even be aware they’re not allowed to leave the organisation with data on their device. A survey conducted by Imperva revealed that 79 per cent of individuals believe their organisation doesn’t have data removal policies for when an employee departs, and 85 per cent of respondents said they store corporate data in home computers or personal mobile devices.
According to the Verizon’s 2017 Data Breach Investigations Report, the most common scenario in 60 per cent of insider breaches involves an employee leaving with data in the hope of converting it to cash somewhere down the line. In 71 per cent of cases, personal information and medical records are targeted for financial crimes, such as identity theft or tax-return fraud, and occasionally just for gossip value.
The same report also revealed that the majority of insider breaches go undetected for months or even years. By looking at 77 different insider and privileged misuse breaches, Verizon determined that:
- only 2 were discovered in a matter of hours
- 6 were discovered days later
- 6 were discovered weeks later
- 33 were discovered months later
- and a staggering 30 of the breaches were discovered years later
In today’s increasingly stringent data privacy compliance environment, particularly with the introduction of GDPR this year, no organisation can afford to wait months or years to find out if they’ve been breached.
When breaches are discovered, these must be reported to the relevant regulator within a 72-hour window. The report must include details of who has been affected by the breach, what data was breached, how the breach happened, and how to remediate the situation.
However, what makes matters worse, is that these details are not always accessible – many organisations do not have a clear way of understanding what happens during a breach. This problem is more complicated than one can imagine – not only is there an emphasis on timing and reporting everything within the 72-hour gap but there is also the additional problem of uncovering the data that has been breached. If an insider breach occurred, how do we pinpoint what has been stolen?
To gather all necessary information (as mentioned above) to report a data breach, organisations must question what users are doing with enterprise data and understand their employees’ intent and actions to fit the puzzle pieces behind a breach incident.
By not doing so, the organisations’ ability to mitigate the risk of a data breach is severely limited. However, this would require the ability to analyse large volumes of alerts to determine whether a real incident has occurred.
So, what’s the solution you ask? How do we determine whether a breach has occurred and gather all necessary information within 72-hours? Can we simply no longer trust our employees to access data? The answer lies in leveraging next-gen security technology to discern between a real insider threat and approved data access.
This is where machine learning has caused a revolution in the ability of security teams to uncover potential insider threats. Where they would previously need to sift through millions of security alerts to spot suspicious behaviour, technology does the legwork by establishing baselines of user behaviour when accessing data, quickly identifying inappropriate and abusive data access and ignoring the massive amounts of alerts that would previously take up their time.
An effective security programme enables your security teams to analyse, correlate, and view access activity from any angle. Companies should also consider implementing seamless audit tools to ensure it’s as simple as possible to carry out routine tasks like analysing failed logins, identifying attack sources, investigating unauthorised operations and tracking privileged operations.
Through a deeper understanding of user access to data, your organisation can then discover massive efficiencies by identifying critical data abuse, as opposed to the harmless anomalies that currently soak up countless hours of your security teams’ time. This also allows you to mitigate the threat of insider breaches, and get a better understanding of the who, what, when, where, and how of a data breach in a much faster timeframe.
Spencer Young, RVP, Imperva
Image Credit: The Digital Artist / Pixabay