Defending your organisation against insider threats
Digital security is top of mind for most companies. Harrowing headlines about ransomware and data breaches remind us that an entire criminal underworld looms large, aching to break into company systems.
But what about insider threats?
This risk is less spoken off, perhaps because the threat isn't as obvious. Yet it happens often: Employees access files they are not meant to, sometimes even copying and sharing the information with unauthorised parties. According to Carnegie Mellon's CERT definition, an insider threat is "the potential for an individual who has or had authorised access to an organisation's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organisation".
In some instances, such as whistleblowers, such acts can be deemed noble. But insider threats manifest in various shapes – disgruntled employees, espionage, people ignoring security policies, victims of phishing attacks or even criminals with stolen credentials posing as employees. Often it can just come down to plain negligence, especially as people work remotely.
"The thing most overlooked with remote work is that data is leaving a company through simple mistakes," says Pete Smith, zero trust data security provider archTIS's Vice-President and EMEA General Manager. "It's your users who are accidentally sending something to the wrong person or sneaking a peek for personal gain. A prominent example of this is in healthcare, where employees access medical records of celebrities. But it may be as simple as sharing salary details with peers because of jealousy. Not all insider threats intend to be malicious, but they still cause damage."
What about zero trust?
Insider threats have increased tremendously in recent years. According to the Ponemon Institute, these rose 47% between 2018 and 2020 – those are pre-pandemic, pre-remote work numbers, and yet already cost companies millions in damages. Of those breaches, 23% were criminal and 62% were negligent.
Nuanced and granular security called zero trust tackles such problems by focusing on a user's access rights and behaviour. In theory, if you have zero trust security active in your systems, you shouldn't have problems with user threats. But it depends on where and how a zero trust security layer is created, says Irena Mroz, archTIS's Chief Marketing Manager: "Zero trust often applies to network access and application access, but rarely to the data that sits behind those checkpoints. Once the user is authenticated into the network or into the application, it stops there. You still need those solutions – I'm not advocating to get rid of zero trust around your network and your applications. But you must take that same methodology and apply it to the data."
Some security methods are rather blunt and can limit data more than is helpful. For example, blocking attachments or forcing employees to use cumbersome software such as secure viewers under all circumstances. Those measures are effective, but they can rub against productivity and weaken security habits. Called static data security, such measures keep the bad guys out but also make it hard for the good guys to do their jobs.
Data security with context
This conundrum – security versus productivity – is often where the gaps start to appear. Yet, it's difficult to police insiders… unless you apply more zero trust context directly to the data. Mroz elaborates: "For any piece of data at any given point in time, what's the sensitivity of the data? Who is accessing it? And what are their surroundings at that point? Are they, maybe, at a coffee shop? Such questions determine, A, should we give you access to that document, and B, if we do give you access, what can you do with it? Should you be allowed to simply view it in a secure reader? Must it be watermarked? Are you allowed to copy and paste or download that specific data so you can do your job? Should you be able to edit it? Should you be able to share it? What about sharing, and if so, who can you share it with? Securing data at this level is highly granular and zero trust every step of the way."
Zero trust data management complements other security layers and uses artificial intelligence to bring that level of scrutiny right to the individual instances of data access. It adds real-time data security features suitable for both end-user organisations and managed security providers. The goal is to close the loop so that zero trust systems can operate at various levels. Above all, notes Smith, this makes it hard for criminals even if they did gain access: "Let's say a hacker gets their hands on the holy grail – administrator credentials. That should provide the keys to the kingdom and can sidestep many other preventions. But when they try to access data, the same questions come up: Who are you, why do you need access, where are you situated and are you allowed to do this? When you apply scrutiny on data access and movement, it clips the wings of criminal intruders."
It also keeps employees away from causing damage while they can still do their jobs. And in the post-parameter security world, where services and employees operate outside of the company's boundaries, data follows. So should security.