person holding a flashlight against a starry night sky at the Mobius Arch Loop
PHOTO: Clarisse Meyer

Last week, as I’ve done every year for the past several years, I attended the RSA Security conference.

Against the backdrop of hundreds — if not thousands — of security vendors, industry experts and panelists, and tens of thousands of participants, one of the themes that struck me was this: One of the biggest challenges we face in both the world of cybersecurity and in our new data-driven society is the need to cancel out interference and prioritize our efforts, focus our attention and pinpoint the one-in-a-million issues that we really need to address.

In other words, how do we find the signal we are looking for amid all the noise of our information society?

Cybersecurity Challenges Grow

From intrusions to breaches, today’s cybersecurity landscape is thornier than ever, and the job of security professionals is becoming increasingly difficult. We could easily drown in a tsunami of intrusion-detection and prevention alerts, log management tasks, data loss prevention projects, and security information and event management (SIEM) events.

Thanks to innumerable stories of massive data breaches, cybersecurity is making headlines around the world. This media attention has led to increasing awareness among consumers that they — and their personal data — have become the target of cybercriminals, social hactivists and even malevolent insiders.

With increasing consumer awareness and tough new regulations like the EU’s General Data Protection Regulation (which can carry fines of up to 4 percent of a company’s global annual revenue), data protection in general and the role of the chief information security officer (CISO) in particular are under a new spotlight of board-level attention and scrutiny. Just one significant breach has the potential to cause a company serious reputational and financial damage and end the careers of the company’s top executives.

So how should CISOs go about prioritizing and reconsidering their data protection and information security programs? More importantly, how do they address these issues in the context of a global organization while also dealing with rapidly evaporating perimeters, employees who access data from just about anywhere at any time, and business leaders who are driven by the misguided concept that more is always better when it comes to data?

Monitoring for potential hacks and exploits is now as commonplace as scanning for viruses, but organizations should not make the mistake of relying too heavily on their existing scanning technologies and forgetting that most costly breaches come from simple failures, not attacker ingenuity.

Related Article: How Much Information Security Is Enough?

Big Threats From Within

In my experience, the most common mistake businesses make when it comes to cybersecurity is focusing their data protection strategies on keeping outsiders out, when internal employees may represent some of our biggest security risks. Many breaches are caused by rogue employees who launch attacks from the inside; others can be attributed to careless employees who do not follow good security practices and either expose sensitive data or leave the company’s systems vulnerable to outside attacks.

According to the 2018 “Insider Threat” report from Crowd Research Partners, 90 percent of organizations “feel vulnerable to insider attacks” and “the most common [cause] of insider threat is accidental exposure by employees.” Of the 472 cybersecurity professionals who participated in the online survey on which the report is based, 67 percent said that phishing attempts are the “biggest enabler of accidental insider threats.” Phishing attacks are scams in which outside hackers trick employees into sharing sensitive company information by posing as representatives of legitimate businesses or trusted contacts, often sending emails with attachments that contain malware or links to illicit websites.

Either intentionally or unintentionally, insiders may represent the greatest threat to your data protection program. The good news? You can take actions to alleviate inside threats the most.

Train your end users to appropriately identify and classify the sensitive data they handle or create, and verify that they are doing so. Using a combined or layered approach to data classification can ensure that the policies, training and tools you provide are properly understood and integrated into the day-to-day tasks of your employees.

Related Article: Hacktivism and the Insider Threat

Mitigating Risk

Security isn’t really about security. It’s about mitigating risk — at some cost, a cost that can be high. Because of the cost, in the absence of metrics we tend to focus on risks that are familiar or recent. Unfortunately, that means we are often reactive rather than proactive. To avoid that pitfall, it’s increasingly important to understand how data, people and locations weave together to create patterns — good and bad — across and within your organization.

While automated detection technologies can help you build a risk-mitigation program, you really need to engage in a more all-encompassing undertaking that includes policies, education and measurement, ultimately ensuring that your organization can appropriately balance collaboration and transparency with data protection and privacy.