You've heard that Twitter was hacked. And the CIA. And that a malicious Desjardins employee caused the largest ever data breach in the Canadian financial services sector. And how about the automobile insurance company that inadvertently gave up the driver license information for 27 million policyholders in Texas?
The thing these high-profile breaches have in common is that they were all undertaken by insiders. Whether committed on purpose for financial gain or as a a result of human error, insider risk took a hit on these powerful organizations' revenue and reputations.
Despite the growing risk, data security events caused by insiders are not being taken seriously. New research in the Code42 Data Exposure Report notes that more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% of IT security leaders say their budget for insider risk is insufficient. This is a major problem for organizations around the world as users, applications, and data continue to move outside the hardened data center and corporate perimeter as part of digital transformation policies. And, unfortunately, it's going to get worse before it gets better. In their most recent predictions, Forrester says that insider incidents will be the cause of 33% of data breaches in 2021, up from 25% in 2020.
Learn to Recognize the Personas that Pose the Greatest Insider Risk
Organizations need to lock down insider risk to data without inhibiting the user experience or creating roadblocks. This requires building a culture of trust where employees are given the benefit of the doubt and trusted to act professionally with the best interests of the organization in mind. Then, instead of monitoring every activity by every user, organizations should look at insider risk indicators (IRIs) to identify risky behavior and create actionable information to stop it in its tracks.
Here are three personas that you need to watch out for when determining insider risk across your organization:
We all have some of these in our lives — the people from the office who are always quick to email a document to a wide distribution. Or they upload a file to a cloud service, or post sensitive information in an unauthorized application. They think they're helping by giving people quick access to valuable information, and they aren't afraid to cut corners to get the job done. Behind the scenes, you just know they are saving files to their personal devices and cloud accounts with little consideration for privacy and security protocols. These people are not malicious, just victims of poor judgment or human error. But their actions result in the same vulnerabilities from malicious actors that keep security professionals up at night.
The Guy with One Foot Out the Door
Their exact motivations could vary, but make no mistake; people who have made the decision to leave the company and take critical information with them are only looking out for themselves. This could be projects they've worked on that they'd like to save in their portfolio. A database of customers they could win over to a competitor. Or just a report with a great format that they'd like to duplicate in their new job. Regardless, the information they take with them can negatively impact your organization's ability to do business, compete fairly against competitors, and protect customer privacy. When you read about court cases involving IP theft, you can often link them to the guy with one foot out the door.
While rare, this is among the most disruptive in the bunch. There are a few varieties of troublemakers, including a mole or insider for hire. Troublemakers are likely out to make a buck by selling corporate information. They may be engaging in some corporate espionage. Maybe they have political motivations to be disruptive or engage in sabotage. We most often see this kind of troublemaker in sectors with lucrative R&D programs – think tech, telecom, biotech or big pharma. The US government's case against Huawei is a prime example from the telecom space.
Infrequently, tech-savvy individuals, who often don't intend to do harm, want to find out how things work and may conduct their own unsponsored "security testing." Whether out of curiosity, boredom, or arrogance, they take it upon themselves to see if security controls actually work, which is likely at odds with acceptable use policies, can erroneously be seen as an attempt to test monitoring capabilities for a later exfiltration, and is a distraction for security teams. While we don’t want to dampen a curious spirit, this may not be the best outlet for their tinkering because the end result creates insider risk nonetheless.
You Don't Have to Compromise
Insider risk management doesn't have to come at the expense of productivity, innovation or collaboration. Identifying abnormal behavior and top IRIs is key to protecting the organization from both malicious and unintentional harm without disrupting operations. From the Over-Sharer to the Troublemaker, it's important that you know the personas that are putting your data and your organization at risk.