When people in 12 countries were asked “What action you would take if you found out your personal information being held by an organisation had been accessed by an unauthorised person?”, Unisys found that individuals are prepared to take strong action against the organisation responsible for the data breach.
In New Zealand 80%, said that they would stop dealing with an organisation if their data was breached, 48% said they would publicly expose the issue and 36% said they would take legal action. These are all actions that can harm a business’ bottom line, reputation or both. Clearly, this shows that securing against data breaches is a business issue rather than merely an IT one.
Whether personal client data, intellectual property, or corporate documents – preventing a data breach is a key concern for most corporates and IT managers. And WikiLeaks serves as a reminder that, in some cases, the enemy is inside the enterprise – ‘trusted’ employees and contractors with authorised access to sensitive corporate data.
The extent of ‘insider attacks’ ranges from 4% (2012 Verizon Data Breach Report) to over 20% (2011 CyberSecurity Watch Survey conducted by CSO magazine). But what can be agreed upon is that the damage incurred by insider security breaches can be far more severe than that caused by external threats.
Intention or not, compromise is probable
The insider threat can be unintentional (such as a lost USB drive with corporate financial data, a lost or stolen mobile device with access to corporate systems or emails, or an employee fooled into disclosing data) or malicious (such as a disgruntled or compromised employee).
Regardless, the consequences can be devastating. But how to protect against insider threats?
While there is no single solution, basic advice is to take appropriate steps to secure the perimeter, but also to treat the internal environment as hostile territory. In other words, take the insider threat seriously and don’t pretend it doesn’t exist.
There are many tools that can detect potential security breaches by monitoring data access/usage by insiders. However, with these approaches, detection occurs after the fact. Also, the additional monitoring and processing required to close the gap between occurrence, detection and response may result in significant performance degradation.
Prevention (still) better than cure
Newer end-point protection technologies focus on the prevention of data breaches. For example, data encryption can be used to enforce ‘need-to-know’ access control. However, traditional ‘need-to-know’ security solutions often incur significant administrative overhead as changes are required to multiple system components (e.g., routers) whenever there is a need to add/delete personnel or create/change roles.
Seek out technologies that overcome the administration challenge; newer encryption technologies can support highly secure ‘communities of interest’ that can be administered easily and efficiently via Microsoft Active Directory or similar tools.
For organisations providing access to sensitive data from mobile devices, ‘need-to-know’ access control may require further augmentation by attribute-base access control:
- Need-to-know-WHO: If the data is particularly sensitive, verify the identity of the requestor through a second/stronger form of authentication such as a voice or face biometric.
- Need-to-know-WHERE: If an employee has the requisite need-to-know right to access a particular data resource, but the request comes from a laptop or mobile device in a café or other public area, it may present an unacceptable risk.
- Need-to-know-WHEN: If an employee is requesting access to data resources outside normal hours, there may be cause to question the request or enforce additional authentication.