(Updated on 10/30/2020)
Historically, when a cybersecurity team looks to decrease the risk of data loss at their organization, they look towards Data Loss Prevention (DLP) technology. These tools are often hyped for their ability to tag, categorize, and control data movement, but in many cases where an organization has a DLP in place, data leaks still happen.
Obviously, that’s no good!
The typical reason for this involves people, or more specifically, your employees and third-party contractors (the insider threat). To put it simply, DLP tools are OK for monitoring and limiting file activity, but they can’t give you insight into what your trusted users are up to with said data and access.
If you’re currently utilizing a DLP solution, don’t panic! All is not lost. We’re here to help you crack the code on detecting, investigating, and preventing insider threat incidents. Here are a few things to take into consideration regarding your current DLP setup, and how you might better approach insider threat risk management:
New Ways of Working
According to a recent independent study from The Ponemon Institute, 2 out of 3 insider threat incidents are caused by employee or contractor mistakes. These incidents may include a breach in cybersecurity policy, including the duplication, exfiltration, and/or leakage of data.
In an attempt to reduce this risk, many organizations have implemented traditional DLP solutions to monitor communication channels (ports, protocols or storage locations) and prevent certain data from leaving the corporate perimeter based on predefined rules. For example, DLP could be configured to automatically remove or quarantine a spreadsheet saved to a file server if it contains personally identifying information (PII) or financial data.
While DLP aims to prevent data loss, on its own, it hasn’t been particularly effective at addressing the dynamic needs of employees and contractors in the pursuit of performing their duties. With the growing popularity of remote work, and the “work from anywhere” trend, it is near impossible to rely on a data-centric solution like DLP alone. The fact is, your people can create, modify, and share information separate from a DLP-controlled source. User activity needs to be taken into account alongside any data-specific interactions to be able to have full contextual visibility into perceived threats.
The Productivity Challenge
Another big challenge with DLP is productivity -- for both the cybersecurity team managing a DLP solution and the employees it’s intended to protect. Specifically, making sure that you have a good balance between your people, processes, and technology. You need your data loss solution to not be a barrier to getting things done, but still guide insiders in cybersecurity best-practices.
For example, it’s often nearly impossible to maintain meaningful data exfiltration restrictions on what information should be leaving a company at a network level. Since DLP solutions make decisions without business (or user activity based) context, they can be incredibly restrictive and frustrating for employees trying to share information or collaborate. As a result, most DLP solutions barely restrict data from leaving a company because there’s a general fear of slowing down employee productivity. Implementation rules may start out strict, but have to be relaxed with time if they’re a barrier to job performance (rather than a helpful guide to secure activity). What’s more, many systems require the user to make decisions (for example quarantining vs. allowing certain files), which can leave a lot of room for error.
While some DLP solutions have adapted techniques such as sanitization and the full extraction of Social Security numbers and other sensitive data, they nonetheless require a significant amount of dedicated cybersecurity staff hours to continuously fine-tune rules and review alerts on a case-to-case basis (not to mention the long setup time at implementation). This fine-tuning can sometimes involve reviewing legitimate content that has been delayed from leaving the organization (for example, an HR director trying to enroll new employees in a medical plan).
Supplementing DLP with Insider Threat Management
Since the specific use-case of insider threat is so people-centric, it’s critical to detect early indicators of risk by monitoring user activity alongside any necessary data or file restrictions. Supplementing a DLP tool with a user activity-focused insider threat management solution can be effective for organizations that have already invested time and resources in configuring and managing a DLP solution.
Why? People are unpredictable, so strict DLP data monitoring rules and policies aren’t always fail-safe. This is especially true since employees are now working from anywhere and using a wide variety of cloud applications (whether they’re sanctioned or not).
Allowing for some flexibility to detect suspicious or out-of-policy behavior from the people using your corporate systems on a daily basis could help cybersecurity teams investigate potential incidents faster, and perhaps prevent costly insider threats altogether.
Whether these risky behaviors are entirely unintentional or malicious, it’s better to have visibility into your employee and contractor activity.