We live in interesting times where the traditional way of doing business is being disrupted and remote work is gradually becoming the norm. This is finally obliterating the secure perimeter and for security professionals, it sets a challenge to protect business and sensitive data now stored virtually everywhere. To mitigate data breach risk, organizations must focus their attention on how employees interact with data. According to research, negligent employees and contractors caused the majority of data breaches associated with insider threats in 2019. And this year we can expect these numbers to rise.
It is worth exploring exactly how users — both regular users and IT team members — put critical data at risk. The 2020 Data Risk & Security Report, revealed four major reasons that lead to security incidents by insiders. This article explains those findings, and then offers recommendations for reducing risks of a costly breach – especially when so many employees are working remote.
#1. Sporadic review of user access rights
Regular entitlement reviews are critical for enforcing the least-privilege principle and thereby minimizing the risk of security incidents related to sensitive data. However, more than half (54%) of organizations surveyed admitted that they ignore this security best practice and do not review user access rights to data on a regular basis. Over the past 12 months, 38% of these organizations reported a data breach caused by an employee.
#2. Sensitive or regulated data stored outside of a secure location
Knowledge workers tend to save copies of files wherever is convenient for them in order to have faster and easier access, while going remote. The temptation to download as many documents from corporate file shares as they can on their personal devices can be even higher. Also, sometimes they just move sensitive files by mistake. These actions often go completely unnoticed by the IT staff and increase the risk that this data will be handled improperly, exposing the business to unnecessary security and compliance risks.
Nearly every IT pro surveyed (91%) said they were absolutely confident that their organization stores sensitive and regulated data only in secure locations. Nevertheless, 24% of them admitted they had actually discovered such data outside of designated secure places in the past year. In 62% of these cases, the sensitive data was left overexposed for days or even weeks.
#3. Direct access to critical data granted per a user request
Best practices recommend assigning permissions through group memberships rather than directly. Plus, it is crucial to have a review process in order to verify that each request is authorized. This approach enables organizations to ensure that users have only the permissions they need to do their jobs, and nothing more, which minimizes security risks. Sadly, IT staff members tend to break these rules: 30% of system administrators admitted to granting direct access to sensitive and regulated data based solely on a user’s request without checking with the user’s manager.
#4. Data sharing with unauthorized users
Employees also tend to put data at risk through improper sharing. Among organizations surveyed, 12% reported at least one security incident due to unauthorized data sharing last year, and almost half (44%) of those incidents led to a data breach. Furthermore, 56% of CISOs (Chief Information Security Officers) admitted that staff in their organizations use cloud applications to share sensitive data outside of IT control or knowledge.
How to reduce risks of security incidents caused by employee negligence?
These findings demonstrate that organizations need a multi-pronged approach to risk mitigation and should not rely solely on the security policies carved in stone. Moreover, even though IT professionals are responsible for implementing cybersecurity programs and risk management, they do not have unilateral control over all sensitive data the business handles. They also cannot know how exactly people interact with it – especially if they are working remotely or accessing the shares through their personal devices.
To more efficiently address these challenges, consider these key best practices for reducing the insider threat risk:
- Classify data based on its sensitivity. This helps IT professionals understand where sensitive information resides in their IT environment and allocates their security efforts wisely with an increased focus on the most critical content, such as regulated data, trade secrets or customer and employee personal information.
- Control who has access to what data. Regular privilege audits and attestations will help ensure that each user has only the privileges they need to perform their jobs — no more and no less. Minimizing access rights limits the damage that a user account (or an attacker who compromises the account) can do, either accidentally or deliberately.
- Track how users interact with data. Even if you granted access rights to critical data to authorized staff only, you should not forget about the human element, as even trusted insiders can make mistakes or abuse their privileges. In order to promptly spot suspicious activity that puts data at risk, it is critical to audit activity around your data (especially data that is classified as sensitive) throughout its lifecycle, from creation and usage to sharing and disposal. This way, the IT team will be on the lookout for suspicious and potentially malicious activities that can put data at risk.
Regularly train and test employees to make secure behavior stick. Finally, organizations must keep in mind that frequent cybersecurity training is the best way to get employees to follow security rules and be more responsible when working with sensitive information. It is also of vital importance to tailor training sessions for different groups of employees. For instance, privileged users like system administrators need to learn not to grant users direct access to data and always check for proper approvals, while non-IT employees need to understand why it is not OK to pass corporate information through their personal messengers and other services outside IT control.