According to an October Forrester Research report titled 'Understand the State of Data Security and Privacy', 36% of breaches in the last month were caused by non-malicious human error. The mishandling of data is rampant, as is a lack of awareness: less than half (42%) of employees of North American and European small and midsize businesses surveyed had received training on how to remain secure at work, and only 57% said they were aware of their organization's security policies.
Dwayne Melancon, CTO of software specialist Tripwire, said in an emailed statement that the findings were no surprise. “After all, insiders have the most unfettered access to critical systems and data, so it stands to reason they would be a top vector for attacks and data disclosure problems. This data drives home the need for enterprises to monitor their systems and data for suspicious changes and activities, regardless of the source. Merely watching network traffic is not sufficient.”
Policies however can only go so far – even when they’re enforced. "Policies are just expectations until employees are given the means and oversight to enforce your corporate policies,” Melancon added. “If they don't know any better, you can count on them doing something inappropriate with your data, regardless of their intent."
Malice is prevalent too though: 25% of respondents said that abuse by a malicious insider was the most common issue.
"The rise in insider threat represents a trend that has been going on for quite some time. Attackers used to ‘push’ their attacks to servers, now the dominant tactic is to just have the inside user ‘pull’ the attacks into the enterprise where they can be installed and persist over long periods of time,” said TK Keanini, CTO at Lancope, in an email.
He added, “The other related factor is that, while the Internet gateways are well monitored and protected, the Intranet gateways are not. Again, the longer they can go undetected, the better; and this favors an inside strategy."
Companies are nonetheless investing in cybersecurity: the survey showed that 17% of the collective security budgets of the respondents was going toward data security (that percentage was the highest allocation except for network security at 21%). The problem, some say, is how that budget is being spent.
“Companies have spent fortunes defeating network attacks, firewall breaches, viruses – but left their data center exposed to the biggest security problem that exists – people,” said Barry Shteiman, director of security strategy at Imperva, speaking to ITPro. “The insider data breaches problem is so big because it does not necessarily mean hackers. Any employee in an organization may be a malicious insider, and even worse, any employee can be a compromised insider – it doesn't matter if it's the receptionist or the CEO – as long as they have access to the company's data.”
The Forrester report's author and analyst, Heidi Shey, noted that guidelines are needed in the form of a data control framework to approach data leakage holistically. She recommended a three-pronged approach that starts with definitions and inventory in the form of data discovery and classification, and assigning a value to each data set. Then, they should apply some analytics to that data to find out when and where it is being used. And finally, assigning access controls relative to data importance, weeding out and killing old irrelevant data and encrypting appropriate data sets are all part of the process.
Amar Singh, chair of ISACA UK's Security Advisory Group, said the framework sounds good in principle, but in practice it poses issues. “The framework mentioned sounds very good in theory, but finding that needle or bunch of needles in a haystack is easier said than done,” he noted in an emailed statement. “Furthermore, data classification exercises again sound good in theory, but all too often every type of data starts being stamped as important or critical.”
Singh said that the more sensible and practical approach could be starting with the identification of the people that access known critical data sets like human resources and legal personnel. Following due process, companies should engage and encourage these critical resources to gradually embed and increase security controls in their day to day operational activities.
They should also define what is normal for the organization, and apply simple tweaks to existing systems to generate alerts on abnormal activity.
“Example: Is the HR administrator accessing the salary package at 09:00 in the evening a normal and acceptable event?” noted Singh.
Organizations can also use ISACA's COBIT 5 framework to help make information security a repeatable, manageable and cultural part of the organization, he added.