Adam Gordon, Country Manager ANZ at Varonis, explains the most common causes of insider data breaches, the impact of remote working and key ways organisations can mitigate these risks.
In movies, nefarious corporate insiders are the hoodie-wearing outcasts that avoid conversation and keep to themselves. The reality is different. Chances are, you wouldn’t be able to pick out an insider bent on harming your organization.
Many organizations don’t consider the risk that these parties present, but there’s strong reason to – Verizon’s 2020 Data Breach Investigations Report revealed that 30% of all breaches last year involved internal actors.
Data represents their most important and valuable asset for many organizations, but too few organizations keep their data tightly controlled. Instead, data is often open and accessible to all employees within the organization, where it can not only be accessed but copied, moved, altered, deleted – or simply emailed from person to person – and even outside the company.
Ideally, access to data in any organization should be restricted to only those who need it. This approach reduces the chances of that data being exfiltrated, corrupted or encrypted if users’ access protections are compromised, typically through a successful phishing exercise.
Common sources of insider leaks
There are several ways in which data can be made unintentionally or unnecessarily accessible, and there are a number of measures to prevent this happening.
Most users want to make their job easier and won’t necessarily follow organizational policies covering how data must be handled. They will store files on shared or networked drives and may often be unaware of just how widely available their actions make those files.
As a result, it only takes one user’s account to be compromised for data to be put at risk – and that compromised user might have had no logical reason to have access to that data in the first place!
In the pre-cloud world, when most data was held on-premises, data access was more easily controlled. However, even back then inconsistent access control lists (ACLs) and global access groups put data at risk, and it was common for users to put data on shared or networked disk drives.
In recent years, data volumes and storage locations have proliferated enormously. Today, it is almost impossible to find and fix all inconsistent ACLS.
Users may already be aware of which data is highly sensitive. So, unless restrictions make it impossible to move this sensitive data, it’s bound to end up in an insecure location at some point.
The shift to remote working
The rapid uptake of cloud-based collaboration tools to support the shift to remote working has made this problem much worse. Tools like Microsoft Teams enable users to create new repositories for data and share access to that data with anyone in the organization. Often, IT and security lack insight into how data is being shared and resaved.
For example, anyone using Microsoft Teams can create multiple SharePoint sites online, add users with various levels of access or make access available to anyone: all with a few clicks and no technical expertise.
Placing access restrictions on all data would do much to curb such practices but doing this presents a huge organizational challenge. It can be challenging to identify sensitive data and its degree of sensitivity, to apply appropriate controls.
To do this, organizations need to know where data is stored, who has access to that data, if that access is legitimate and who has responsibility for making decisions about access.
The challenge of locking down data
One oft-touted solution is to have the creators of data classify and tag it appropriately. However, this requires those responsible for tagging to understand what constitutes sensitive data, and not deliberately mislabel data to make access easier to avoid hassles caused by restrictions.
The challenges were already big enough when all data was kept on-premises. IT and security teams could see when access to a particular dataset was broadened, or access rights changed. With data now typically spread across private and public cloud systems as well, the challenge is much greater.
Once a file has been given open access, it’s likely to be spread far and wide throughout an organization. If it gets inserted into an email, it may become part of a widely circulated email train.
It’s incredibly difficult for security teams to track and control access to data in such a scenario. Identifying and blocking all the user actions that result in open access to organizational data would be an impossible manual task. So, organizations turn to Artificial Intelligence and Machine Learning-driven user and entity behavioral analytics (UEBA) tools, but these are no instant solutions.
If the tools used are not sufficiently robust, they may fail to detect inappropriate data access, or generate masses of false positives that must then be resolved with large-scale manual interventions.
Another technological solution that addresses the consequence, not the root cause, of lax data access controls is data leak protection technology. This technology relies on file labels that specify how a file should be protected: whether it should be encrypted or whether certain operations on it should be blocked, for example.
However, automatic file classification systems are unable to apply these labels with sufficient accuracy and still rely on users to do so. There is no guarantee that users will apply the appropriate label to a file.
Of course, the first line of defense is making sure users do not extend access to data beyond what is necessary. Security awareness training should be implemented but not relied on. It’s only a matter of time before an employee will make a security mistake. Working from home has only added to these pressures and potential distractions that can lead to unnecessary data access.
A better solution is to implement a least-privilege approach. If the data users can access is limited, and the locations in which they can store data are limited, you will minimize your risk.
As the number of data breaches continue to rise, organizations should assume they are already being targeted by hackers. Restricting access to data is a key step organizations can take to reduce the level of damage from a successful breach.
Click below to share this article