While hackers hit the headlines, insider threats should not be forgotten

Insiders with authorised access to sensitive information represent credible and growing security threats, which businesses should ignore at their peril says Mark Kendrew.

Insider threats must be tackled to control access to and circulation of data
Insider threats must be tackled to control access to and circulation of data

Hardly a month passes without reports of hacker attacks on high profile firms that destroy business reputations, share prices and executives' careers. The ensuing "arms race" between businesses and hackers is consuming valuable resources at Board level. However, greater damage can be caused by insider threats, which operate in the shadows, bypassing security and leaking sensitive data.

Businesses are increasingly dependent on data, which makes them more and more vulnerable to the leakage of sensitive data. Success increasingly depends on the need to collaborate, sharing sensitive data internally between teams; and also externally with customers and business partners.  Working practices involved in collaborating at local, national and international levels make it difficult to control access to and circulation of data. Therefore, insiders with authorised access to sensitive information represent credible and growing security threats, which businesses should ignore at their peril.

What are the common insider threat types?

The insider threat has evolved in recent years. Historically, the insider was seen as acting with malicious intent, either alone for personal gain or retribution; or with the direction and support of third parties motivated by commercial gain; criminal intent; or espionage. However there are also two groups of insiders who don't have malicious intent: first, those who accidentally release sensitive data by improper use of IT (eg sending e-mails to the wrong person); and second, those users whose credentials are unwittingly stolen and exploited by hackers to mine sensitive documents and e-mails. 

Looking at all these threats, it is possible to use a similar combination of security controls and monitoring to both reduce the level of data leakage risk and detect when breaches might have occurred.

Prioritise data leakage prevention activities

Effective data leakage prevention relies on businesses taking steps to protect their information from creation to deletion, ensuring that it is used, stored and shared with appropriate levels of security. However, businesses must also achieve their strategic goals. Given that security is often an overhead, any data leakage controls and breach detection must be achieved with careful consideration of their impact on ways of working and management overheads. Therefore, businesses should classify the sensitivity of their data so that resources can be focused on where data leakage and insider risks are the highest.

An integrated set of data leakage prevention tools

IT operating systems have routinely logged data to record changes to system configurations; user permissions; or specific user activities. Such logs are often dispersed across the IT landscape and even if combined, would not present a complete picture for combatting insider threats. The marketplace has been changing rapidly with a growing range of vendors developing specialist applications to assist with: data classification; access management; protection of data at rest and in transit; and data governance. Whilst these tools are good at what they do, businesses are still left with the need to integrate these systems to compile monitoring data and better understand user behaviours.

Use IT to drive the changes needed to prevent data leakage

Whilst data leakage prevention tools can enable businesses to characterise normal user behaviours, they can also be used to provide alerts based on deviations from these assessed behaviour norms. However, such alerts are not infallible as user roles may change over time or behaviour analyses might not truly reflect the norm. Therefore, the security applications must be integrated within business processes that enable the whole user context to be understood. Only then can the reported alerts be dismissed or confirmed as insider attacks. This approach would also underpin changes in behaviours that could reduce the risks of data leakage in the first place.

Extend data leakage prevention to their business partners

Business operations are characterised by the growing need to work with third parties, such as legal advisors or IT service providers. In addition, more data is being stored in Cloud storage solutions and on mobile devices that fall outside the direct control of business information owners or security teams. IT can provide some solutions for information rights management that can reach into third parties. However, it would be dangerous for businesses to rely totally on such solutions to secure their sensitive data. Therefore, businesses must work with their customers and business partners to ensure appropriate measures are reciprocated to mutually and appropriately protect each other's sensitive data.

Contributed by Mark Kendrew, director of Apollo Communication Intelligence & Security Ltd, on behalf of Odgers Interim