In the past few years, public releases of private data have become common. While a majority of these data breaches are caused by someone outside the company, or hackers worming their way past security measures, many breaches are caused by people within the enterprise.According to a security report issued by the Intel Security Group, “[i]nternal actors were responsible for 43% of data loss, half of which is intentional, half accidental”. With the average cost of a single data breach in 2015 costing $3.79 million (a 23% increase since 2013), it is well worth the time to keep an eye on your data.
Given the number of breaches and associated cost, it makes sense for companies to spend more to protect their most important data from both outside and inside threats – sadly this is not the case. While “[c]ompanies deploying security intelligence systems, on average, experience a substantial cost savings of $1.9 million… companies deploying access governance tools experience cost savings of $1.8 million on average”, it is still reported that only 11% of companies consider themselves safe from insider threats. One can infer that 89% of companies are knowingly vulnerable to a data breach.
One of the most common insider threats is employees who leave the company. According to Gemalto, “[i]n more than 70% of [Intellectual Property] thefts, insiders stole the information within 30 days of announcing their resignation”, while reports indicate 60% of exiting employees take company data with them, either for personal gain or simply to use in their new job. This stolen information is typically uploaded to cloud storage, attached to emails, or copied to removable drives – the last of which accounts for 40% of breaches.
While recording every keystroke, mouse, and file transfer is technically possible, fighting the insider threat is much harder than pervasive data collection. The hard part is knowing which of the millions of keystrokes, mouse clicks, and file transfers each day are malicious. To perform their job, employees must transfer files, send email attachments, and insert removable storage. So stopping, or even delaying, such activity hurts the bottom line of the company, as well as frustrating employees. Current SIEM platforms can detect potential data breaches by identifying obviously malicious activity, but malicious activity for one employee is benign for another. The insider exposed to monitoring for years also learns what the SIEM system deems “malicious”. While accounting may rarely move large files, systems administrators and the research department may commonly move large files. Therefore, the reason DLP solutions fail is the hard task of distinguishing between benign and malicious, people who require large file transfers and those who do not, and people who frequently work with company IP and those who do not. This problem is made harder by the insider who avoids detection using years of daily experience within the DLP solution.
So what can be done?
First, deploy a good DLP solution to identify obviously malicious activity, such as violations of enterprise security policy. At the very least, this helps keep the honest employee honest. Second, monitor the open, deep, and dark web for your sensitive data, so you are the first to know when your DLP solution fails. This allows you to immediately mitigate the damage. Third, focus on data behavior, rather than user behavior. The data is your property, the people are not, so the law gives you greater latitude when focused on your data, your property. Finally, watch this site for upcoming posts to help you understand how to apply Data Behavior Analytics to monitor the open, deep, and dark web with LemonFish Technology’s unique solutions to this costly problem.