We have all heard this before, but just how bad things really are? According to Verizon’s 2016 Data Breach Investigations Report (“DBIR”), insider and privilege misuse was once again one of the leading causes of incidents and breaches in 2015, accounting for 10,489 total incidents, 172 with confirmed data disclosure. Some of this misuse is perpetrated by malicious actors driven by motivation of financial gain and some of it is due to actions of well-meaning employees who either lacked cybersecurity awareness or simply made a mistake.
While there are no perfect answers for addressing the multitude of possible insider attacks, which can range from privilege abuse, to data mishandling, to the use of unapproved hardware, software, and workarounds, to email misuse, implementing the steps below can go a long way in reducing the risks.
Five Steps to Reduce Insider Misuse
- Train your employees on cybersecurity. According to a recent study done by MediaPro, only 12 percent of employees have sufficient cybersecurity awareness necessary to prevent common cybersecurity incidents. Consider including cybersecurity training as part of your onboarding process for employees with access to protected data and repeating it yearly. If you are in a highly regulated industry, you may be required to do so already. Set up an email account for reporting suspicious emails and ask your users to forward “phishy” emails to that account. Your security personnel should monitor that account to help identify a potential attack. Continuously refresh the training materials to account for new threats and trends. The hackers are getting increasingly sophisticated and persistent with each year and your defense program needs to match their efforts.
- Filter your email. Many of the opportunities for insider misuse present themselves in the form of email. Implement and test email filtering to weed out potentially malicious emails before your employees have a chance to interact with them. Even well-trained employees can have an off moment and click on a malicious link. As a side of anecdote to go with the statistics, a Chief Information Officer of a Fortune 500 company recently shared with me that the group that consistently takes the lead in failing the phishing exercise is their company’s Legal department. Email filtering can go a long way in minimizing the odds of human error.
- Monitor your outbound traffic. By monitoring your outbound traffic you increase your chances of identifying suspicious connections and siphoning of data. This can help detect the actions of a malicious insider who is exfiltrating the data using the company network.
- Require multi-factor authentication and strong passwords. This is already required if your organization deals with electronic financial or health information. As such, failure to implement the required authentication controls can lead not only to a data breach, but also to regulatory scrutiny. According to Verizon’s 2016 DBIR, 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords. Although this is a fairly easy control to implement, some organizations try to sidestep it. Recently, I was asked whether a company that has a good amount of health information can implement a single user name and a shared password for one of its departments. The answer to that question is a resounding no. Not only is it prohibited by the HIPAA Security Rule, but if you ever find yourself needing to investigate insider misuse, it will be impossible for you to trace which user performed which actions while logged-in with shared credentials.
- Limit user access and disable remote access of departing employees. According to Verizon’s 2016 DBIR, almost one third of insiders involved in cybersecurity incidents and breaches are end users who have access to sensitive data as a requirement to do their jobs. As such, do not give your end users the ability to access protected data they do not need to access in the course of their duties. If an employee moves to a different position within your organization, adjust her data access accordingly. If feasible, consider disabling the use of removable storage devices to prevent users from using the USB ports to copy data off your network. Have a procedure in place for IT to disable access for every terminated employee immediately upon termination. Additionally, for those employees who are in the process of leaving your company, whether voluntarily or not, consider monitoring their use of your systems, as it is all too tempting for some not to forward company data to their Gmail accounts.
Preventing insider misuse is an important aspect of a well-designed organizational cybersecurity plan. Consider implementing the steps above together and in the context of any other measures that are reasonably needed to ensure the overall cybersecurity for your organization, taking into account the types of protected data you collect, process, and transfer and your data management workflow.