(Updated on 02/24/2021)
Data exfiltration risks for insiders are higher than ever. Make sure you have these four common sources for data leaks under control.
Workplace security has been changing over the last few years, and security for remote workers is now more important than ever. With more employees, contractors and other insiders working from home than ever before, companies are facing higher risks for data exfiltration.
Even before the new remote workforce dynamic came into play, researchers were finding that insider threats were on the rise. According to Ponemon’s 2020 Cost of Insider Threat report, insider-caused cybersecurity events have increased by 47 percent in the last two years. Meanwhile, in 2019, Verizon’s Data Breach Investigations Report found that 34 percent of cybersecurity breaches involved an internal actor.
In this post, we’ll explore the top four sources for data compromises by insiders and the consequences of each. We’ll also share Insider Threat Management (ITM) tips and resources to bring these risky areas under control, so that companies can protect their data, even in this new era of remote, distributed workforces.
1: Shadow IT
While many organizations have official, company-sanctioned IT tools and infrastructure, people don’t always follow the rules. Whether they’re trying to get around a cumbersome process, shortcut something, or avoid tech that just doesn’t work, employees and other insiders often build a “shadow IT” infrastructure, which can lead to serious data leaks. In fact, according to the 2019 Verizon Data Breach Investigations Report, one of the top forms of misuse from approved users was unapproved workarounds—in other words, people cause breaches by trying to circumvent protocols.
Running parallel to the company’s official infrastructure, this shadow system often includes non-sanctioned tools and apps that help people do their jobs. Shadow IT can include:
- SaaS applications
- Cloud technology
- Web applications
While the intentions might be good, the results can be disastrous.
Consequences: Imagine an employee shares files outside the organization through an unsanctioned cloud storage application and leaves the access privileges wide open. Now the data, documents or information can be accessed by more than the intended recipients. Yet, the organization will be blissfully unaware. Such blind spots can be very damaging as the security teams can neither detect nor prevent such bad behavior as they are not aware of the application in use. The same goes for web-based applications like code repos, social media and less well-known email, SaaS apps that have access to files, and more.
ITM Tip: Organizations should take steps to prevent data leaks by limiting the ability for employees and other insiders to download or access unsanctioned technology on corporate-owned devices, such as laptops and mobile devices. Tools like DLP or ITM software can alert the security team when something unusual or risky happens, or if data is found outside of approved environments. And, most importantly, companies should solicit feedback about security, reinforce protocols with training, and listen to employees—people often circumvent technology for a reason.
2: Legacy Tools
While there are many new sources of data exfiltration, the old school methods are still a risk. Outside of SaaS tools and cloud solutions, employees, contractors, partners and other insiders may use physical tools and legacy tech, such as:
- USBs or other external storage devices
- Desktop email
- Print jobs
Consequences: Often, all these tools need to be used for legitimate purposes; for example, handouts may be printed at home as notes for an online presentation. But these sources can also be a big risk: imagine an employee leaves a USB key full of confidential information in a restaurant or at a conference. Or, if sensitive documents are printed at home by a disgruntled individual before they tender their resignation without ever leaving their home. In both cases, the controls within the corporate perimeter are easily circumvented.
ITM Tip: To prevent this type of data leak, some organizations may choose to ban USBs altogether. For others, this isn’t a possibility. In either case, developing a USB policy—and ensuring new and longtime employees are aware of it—is a best practice. When it comes to printed materials, consider simple, common-sense techniques, such as preventing the printing of sensitive files (such as HR documents), monitoring for suspicious behavior such as printing during off-hours, and providing shredders in the office. These kinds of low-tech solutions can stop some possible incidents in their tracks.
3: Privileged or Business Users
Every organization has high-risk individuals. Some of them are even Very Attacked People (VAPs), who are frequently targeted for various scams. As with the previous sources for data exfiltration—shadow IT and legacy tools—the threat profiles posed by people are as diverse as today’s workforce itself.
Some insiders are privileged users, meaning they have a huge amount of control and power over data and highly sensitive information. In fact, the 2019 Verizon Data Breach Investigations Report found that 15% of breaches involved some kind of misuse by authorized users; and one of the top forms of misuse was the abuse of privileges.
Privileged insiders present the following risks to data:
- Executing command line changes
- Accessing databases
Other users who present risk are business users with access to sensitive data or IP. These individuals may engage in the following risky behaviors:
- Using cut/copy/paste or other keyboard shortcuts
- Downloading external files and documents
Consequences: Both privileged and business users can unintentionally—and intentionally—do harm to an organization. Those with technical expertise can click on a phishing link that enables account takeover or can unintentionally leave servers unprotected to expose data publicly. Those with exposure to sensitive customer or non-public information can unintentionally reveal non-public information on social media or messaging applications or can exfiltrate sensitive IP before departing the organization.
ITM Tip: For users with privileged access, secondary authentication tools can provide a sense of their activity and limit the possibility of harm. These tools should be framed as protective efforts for sensitive information—not something meant to slow down workflows (lets users resort to creating workarounds to avoid delays). Conduct regular audits, too—otherwise, insider threats can fly under the radar for extended periods of time.
A tried and true way to attack organizations, phishing continues to be a popular tactic for hackers. Its variants—smishing, vishing, and more—are on the rise, too. According to the 2019 Verizon Data Breach Investigations Report, social engineering attacks are involved in one-third (33 percent) of breaches. While secure email gateway platforms block the vast majority of threats (even the latest coronavirus lures), every organization is likely to have someone click on a malicious email, link, or download at some point.
Common sources for phishing include:
- Accidental errors, like clicking on malware
- Sharing passwords
- Social engineering scams
Consequences: Little mistakes—like clicking on a malicious link—can have big consequences. Phishing emails can deposit harmful malware, spyware, ransomware, and other malicious files on computers, potentially infecting an entire corporate network. When this happens, organizations can be targeted for payments, lose IP, and more.
ITM Tip: The name of the game in phishing is to pair technology tools with phishing education. Employees and other insiders need to be able to recognize the signs that an email is malicious. But even further upstream, secure email gateway solutions will weed out most potential threats. With tools and education in place, fewer emails will make it into inboxes—and when they do, insiders will know not to click.
While organizations like to believe they are secure, the truth is that insider threats are already happening. As of early 2020, Ponemon estimated the annual cost for insider threats at $11.45 million. As data exfiltration incidents increase, that cost is likely to grow further, too. For organizations of all shapes and sizes, insider threat incidents are a matter of when, not if.
To address these four key sources of insider threat incidents, companies should adopt a tech-enabled ITM plan, find the right tools to support security—such as ITM software, email monitoring software, and more—and stay vigilant.
Subscribe to the Proofpoint Blog