I was just reading the results of a Forrester study called, “Understand the State of Data Security and Privacy.” One of the big findings was that “insiders” were the top source of breaches in the last 12 months, with 36% of breaches attributed to the (often inadvertent) misuse of data by employees.
I’m not surprised by this and I doubt you are, either. After all, insiders have the most access to our critical systems and data, so it stands to reason they would be a top vector for attacks and data disclosure problems.
This Forrester report drives home the need for enterprises to monitor their systems and data for suspicious changes and activities, regardless of the source. Merely watching network traffic is not sufficient.
In Principle, It’s About the Principles
In my opinion, a few “tried & true” security principles come into play here, as we think about the solution to this problem:
- Least Privilege: Take a look at who can access what data in your world, and objectively evaluate whether the level of access is appropriate or not. If the data in question is “make or break” data for your business, make sure the list of people who can access it, change it, etc. is the shortest list possible.
- Trust, But Verify: It is good that you trust your employees but note that the report emphasizes inadvertent misuse of the data as a common issue. In other words, people are people and can make mistakes. Monitor what they are doing throughout the chain – from system configurations, account permissions, application workflow, access, changes, and so on. Log what is happening and put controls in place to detect and escalate exceptions. Where possible, automate the checks to take cost and human weariness out of the equation.
- Know What Normal Looks Like: Establish baselines – of configurations, traffic, user behavior, application access to data, human access to data, and so forth – so you can recognize when something unusual happens. This will make your job easier.
- Arm Your Employees With The Means To Succeed: Corporate policies are just documented expectations, and out expectations will be crushed if they aren’t met. Until employees are given the means and motive to adhere to your corporate policies, you’re basically relying on luck. Remember: hope is not a strategy, and trust is not a control. If your employees don’t know any better, you can count on them doing something inappropriate with your data, regardless of their intent.
- Examples of what I mean: Training on how to handle, safeguard, and dispose of sensitive data; training on how to maintain vigilance and awareness of social engineering attacks; clear instruction on what your policies mean to each person in the normal course of doing their job; etc.
- Reinforce The Training: From an employee training and knowledge retention perspective, I’ve seen great success with coupling awareness training with follow-on retention test and “secret shopper” style testing to determine whether employees are actually hanging on to the information they are expected to know. Getting people to practice what they know early and often is a key factor in helping them develop responsible habits that support your business objectives.
Make the Right Thing Easy and the Wrong Thing Hard
A big accelerator in companies’ success with good data hygiene occurs when the culture makes the right thing easy and the wrong thing hard. Automated controls to reinforce the positive and act on the negative help, particularly if the reinforcement comes very quickly after the error.
The challenge is making the cultural shift that creates this reinforcement. One way to make the cultural expectation stronger is to perform regular training, then provide reports on the retention scores of employees.
But don’t stop there – take it to a new level by organizing the scores according to the business executives to whom they report. This “improvement by competition” approach can help the cultural shift happen more quickly – after all, no executive likes to be at the bottom of the list.
I’ll be commenting more on the Forrester report as I continue to chew through it, as I think there are some though-provoking elements ion it. If you have additional principles or thoughts on the “insider problem” I’d love to hear from you.
- 20 Critical Security Controls: Control 15 – Controlled Access
- Cyber Security Solutions for the DoD and Intelligence Community
- 20 Critical Security Controls: Control 17 – Data Loss Prevention
- Observations on the California Data Breach Report
P.S. Have you met John Powers, supernatural CISO?