Stories of security breaches that originated inside the organization have flooded the news in recent years – Edward Snowden and the National Security Agency being the best known example.
In addition to elevating the data privacy conversation to the international level, these stories also shine a light on a trend that has become quite common: Insiders continue to cause more data breaches, on average, than anyone else. Many of these are accidental in nature — but for purposes of this article, I’ll focus on those that are not.
Playing Whack-a-Mole With Your Security
While the word “hacktivism” may be relatively new, it’s an activity that most people are already aware of — specifically from stories surrounding Edward Snowden’s infiltration of the NSA computer systems and furthered by the hacking collective Anonymous in its attacks against banks, the government and politicians.
As a concept, hacktivism is the practice of gaining unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals.
Defending against an insider threat is an often complicated and usually nuanced exercise. For many organizations it can feel like a glorified game of “whack-a-mole.” The larger the organization and the more complex its infrastructure and collaboration systems, the more difficult it is to identify real threats — and the more onerous the task of the Security Operations Center.
Who Poses the Biggest Threat?
In reality, most costly breaches come from simple failures, not from attacker ingenuity. But with the proper incentives, hackers can be very creative.
Attackers usually don’t get in by cracking some impenetrable control — they look for weak points, like trusting employees. Many organizations make the mistake of focusing their data protection strategies on keeping the outsider out of their environments, but in fact, many breaches come from an attacker who is already inside.
Whether intentional or unintentional, insiders cause the greatest threat to your data protection program. Fortunately, they are the threat you can do most to alleviate. You can help to minimize the likelihood of a major data breach with very simple steps including two-factor authentication, biometric IDs, employee monitoring, data encryption, and stringent password and authentication controls.
The Keys to Success
First and foremost, organizations should start with continuous and ongoing education of employees. An annual training course won't cut it — the training must permeate the culture of your company. In the absence of security education or experience, people (employees, users, customers) often make poor security decisions with technology. This means making systems easy to use securely and difficult to use inappropriately.
This is critical, and probably one of the greatest opportunities for you to revamp your security programs. Make it easier for your end users to do the right thing than the wrong thing by adhering to these tips:
- DO create policies, rules and IT controls that make common sense and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use
- DON’T set up cumbersome and restrictive policies that push your employees to private cloud options to effectively do their jobs
- DO trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so correctly
- DON’T rely on their promises that they are doing so. Instead, verify or automate the process to ensure they are following through
At the end of the day, employees always do what they need to do to get their job done. Become an advocate for them by making it simple for them to use the systems you can control.
Using a combined or layered approach to data classification, identify management and access controls, and data loss prevention systems can ensure that employees understand and integrate the policies, training and tools you provide into their day-to-day tasks.
Security and data protection is a team sport in which every employee is a player.