Minimizing the Insider Threat – What is your staff REALLY doing with your data?

Acts by staff, whether malicious or not, account for well over half of all reported data breaches.  While many organizations already monitor email or network use, how do you really know what your employees are doing with your data?

We recently ran a webinar where we looked at three examples where data was exposed by staff.  Several challenges exist, such as:

  1. Identifying what data needs protection.  While this may seem simple enough, it becomes more complex when you start to think about not only the data that is covered by compliance (health data, credit card information, criminal justice records, etc.) but what data would have an impact on your organization if it were exposed?  That might expand to include customer lists, internal emails, pricing models, donations and donor information – the list goes on.
  2. Determining where this data exists.  It should all be on the file server, right?  If this data has been collected over years, does it also exist on older or decommissioned hardware, backup media, staff’s workstations or even uploaded into cloud-based backup or collaboration sites?  And if it’s not already in places that are hard to protect, how can you keep it from leaving your network?
  3. Detecting unusual behavior that could indicate an insider threat.  This is very challenging as your staff needs access to data to perform their jobs.  Have you reviewed data access to make sure access is only given to sensitive data on a “need to know” basis?  Who regularly reviews and makes changes to access?  What is unusual behavior in your network?  For example, a large batch of data being copies out of the network at 2 a.m. could be a perfectly innocent cloud backup running outside business hours so it won’t impact production, but what if it’s John in Sales copying off client and pricing information for the new job he starts in 2 weeks with your top competitor?  Monitoring needs to include the technologies where data is stored and moves, account logging, develop a baseline for “normal” and be able to customize rules on an ongoing basis.

Provide regular staff training and testing to raise awareness of threats that can cause accidental data exposure can help minimize risk, but you also need to have technical controls as well for the inevitable human error or the hard to prevent misuse of data by staff who has legitimate access.  Last but not least, a proactive incident response plan with the right resources to help you determine if the data has been exposed, how to remediate, and what you are required to do for notifications to affected parties and/or compliance violations.


Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.