Insider Threat Management

How to Prevent Sensitive Data from Being Exfiltrated

Share with your network!

(Updated on 04/15/2021)

Data exfiltration is a major problem in the modern organisation. This has become truer now than ever before as the shift in working patterns and adoption of digital productivity solutions has created a number of new endpoints. And despite your best efforts, you may still face data leakage issues because of one major factor: your people. People are the new security perimeter. Their actions, whether negligent, compromised or malicious, can lead to costly insider threats. In fact, the number of insider-caused cybersecurity incidents increased by 47% since 2018.

Needless to say, if your organisation stores or handles sensitive data, then you need to have a plan in place to stop data exfiltration.

Here are three steps to help you prevent sensitive data from being exfiltrated from your organisation.


Step 1: Identifying Your “Sensitive” Data

The first step in protecting your sensitive data is to understand exactly what data your organisation possesses and handles, and how sensitive that data is. For some organisations, regulatory and compliance frameworks are very clear about what constitutes sensitive data and how it must be treated. For example, GDPR outlines the steps that must be taken to ensure secure processing of all personal data, which they define as: 

Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

Any organisation that processes the data of EU citizens must follow GDPR requirements or risk serious fines. Similarly, industry-specific guidelines like HIPAA provide specific protection rules around uniquely sensitive data like protected health information (PHI). And PCI-DSS outlines security measures that apply to cardholder data. Modern data loss prevention (DLP) solutions will allow you to leverage your existing data identifiers or provide you rich, out-of-the-box classifiers to reduce your data classification workload. 

Depending on your organisation’s location, industry, and the nature of your business and your customers, your sensitive data will vary and therefore will require different regulations to be met.

In fact, among many modern firms, intellectual property, customer lists, product roadmaps and HR compensation data constitutes the bulk of their sensitive data. After all, your customers may not always care, but such information is critical to your business and competitive advantages. Consider using a Cloud Access Security Broker (CASB) to use modern contextual techniques such as proximity data matching and exact data matching to differentiate between confidential and non-sensitive files. 

The bottom line is you don't need to spend months to a year just discovering and classifying data. This should be complete immediately so that your security teams have visibility into high-risk users moving sensitive data within the organisation.

Step 2: Focus on Sensitive Data in Motion

Now that you know what data needs to be protected, consider how that data is used. In today’s work-from-everywhere environment, data moves extremely fast, moving beyond the traditional enterprise security perimeter. As a result, traditional endpoint DLPs are not enough on their own. 

Instead, consider using a people-centric DLP that connects the user to any data movement or risky behaviour across files, apps, and endpoints. Over time, cybersecurity, IT, HR and legal teams can easily understand the ‘who, what, where, when’ and intent around alerts and incidents. And by correlating user activity and data movement, your security team can move quickly to protect against data leaks and address insider threats. This is especially relevant when insiders are interacting with sensitive data in a way that may not be secure. For example, users may attempt to exfiltrate data using removable media (i.e. USB drives), print jobs, keyboard shortcuts and business, personal or temporary email clients, to name a few.

It’s all about monitoring both user and data activity to understand when data is moving in a way that could pose risk. This one-two punch approach is the best possible way to prevent data exfiltration within a complex, modern organisation where data is growing, moving, and changing all the time. 

Step 3: Gaining Visibility is Key to Protecting Sensitive Data

Verizon’s 2020 Data Breach Investigation Report illustrated that organisations are losing more data year over year to both external compromises and insiders. In fact, 30% of all data breaches are driven by insiders. But not all insiders are malicious. According to Ponemon’s Real Cost of Insider Threats report, negligent insiders account for 62% of all incidents.

Knowing the prevalence of insider threats, it’s even more troubling that it takes an average of 77 days to contain a data loss related incident. 

With an insider threat management (ITM) platform in place, your organisation can achieve full visibility into the movement of sensitive data. This means you can track files in use, in motion, and at rest. You can identify specific exfiltration points, like a rogue USB drive, and detect suspicious behaviour in real-time. You gain insight into what insiders are doing with sensitive data regardless of whether they are acting maliciously, negligently or unknowingly. 

Ultimately, an ITM provides clarity and context around what happened so you can understand user intent and take appropriate action to protect sensitive data. That could mean sending a user alert to remind them of policies, conducting an investigation, or even passing the information along to HR or law enforcement, depending on the severity of the activity. Deeper insight can also help security teams speed up investigations and increase their own productivity.

Protecting sensitive data is an important goal for organisations today, and the visibility achieved with a platform like Proofpoint Insider Threat Management (ITM) is the best way to achieve that goal.

Ready to see what Proofpoint ITM can do for your organisation?