When people think about data leaks, they tend to assume the cause of the threat came from outside the company.
In reality, there is just as much danger, if not more so, of a data breach happening from within.
A recent study from Egress’s Insider Data Breath Survey 2020 found that 97% of IT leaders are actively concerned about an insider data breach.
Why? Because of statistics like these, according to Information Age:
- “78% of IT leaders surveyed said that employees have put data at risk accidentally within the last year.”
- “75% say that intentional compromise of data security has occurred.”
- “24% said lack of employee security training was to blame; 21% said insider breaches were caused by employees rushing tasks.; 31% said employees had sent information to the wrong person.”
Insider data breaches are a much bigger problem than many companies realize.
Just look at what Elon Musk had to deal with earlier this year with Tesla. According to CNBC, Musk “had learned an employee of the company conducted quite extensive and damaging sabotage to its operations,” ultimately exporting highly sensitive data to unknown third parties.
This has been a growing problem in the cybersecurity world, the threat of insider leaks. Even back in 2016, Harvard Business Review was reporting that more than 60% of all data attacks were carried out by insiders. When something like this happens, the effects can be catastrophic, leading to any (or all) of the following:
- Damaged company reputation
- Regulatory fines
- Leaked trade secrets (as seen in the case between Uber and Google over self-driving technology)
- Compromise of user data
- Ruined customer trust
- Financial loss
For context, an insider-related incident can cost a company upwards of $500,000.
In fact, according to the Ponemon Institute 2018 study on insider threats, these incidents can cost a company up to $8.76 million per year, and in North America, the cost is even higher: $11.1 million per year.
So, how do you defend against insider threats?
1. You need to focus on the “crown jewels” of your organization, and create a hierarchy for content and data access to different levels of employees.
The simplest form of data protection companies use is simply giving access to certain folders or files to some employees, and restricting access to others.
But especially when you’re dealing with highly sensitive information, this tactic is pretty entry-level. What you really need is a way of measuring user behavior, and gauging employee behaviors and activities to determine whether certain data needs to be immediately shut down so that you can conduct an internal investigation. This is a big part of what we do at Reveille for key platforms from Box, IBM, Microsoft, and so on. We provide tools to bring a completely different level of transparency to layers and layers of content management and access within the organization, with software solutions that learn behavioral patterns over time and can trigger warning systems as soon as behaviors inside the company begin to look suspicious.
2. Collaboration between employees, contractors, partners, and vendors is only increasing, so you need to have a clear sense of who needs access to what data, and why.
Data security begins as early as the interview process.
With every employee, every potential vendor, you need to have a firm grasp over what levels of data they are going to need in order to do their job effectively—without giving them exposure to more than what is necessary.
The second step then is to add layers of protection, and ways to track the nature of their content transactions within the company—and measure those transactions against any unusual behavior outside the norm. The goal isn’t to have a police state, but to have processes in place that can catch early signals of malicious activity before they become a serious problem.
3. There are two types of insider threats: malicious and accidental. The former requires measurement and tracking, the latter requires policies established within the company.
Accidental data leaks would be employees mentioning something they shouldn’t on social media, shipping out confidential information accidentally in emails, or even just putting their company’s data at risk by misplacing their phones or computers. These kinds of things happen all the time.
This is why training is such a crucial part of internal data protection. For the last 25 years of bringing content management systems and behavioral insight solutions to market, I can tell you that companies not having proper training or policies in place is one of the foundational errors that leads to data leaks. However, once you have these policies integrated into your company culture, you now have a key input to measure against behavioral baselines—which makes your tracking tools that much more effective in being able to spot malicious behavior.