Keeping data safe from internal threats

Published on

Keeping data safe from internal threats

By Michele Hanson, CISO, Gatwick Airport*

Keeping track of how essential data is managed and accessed presents a constant challenge for many organisations and has only become a greater problem with the advent of the cloud. The freedom and flexibility enabled by the cloud are powerful business advantages, however it also makes it more challenging to control who can access key files, particularly when it comes to movers, leavers and contractors. The stakes are also higher than ever with stricter laws and potential fines introduced by the GDPR.

 

Defining the threat from within

 

Losing control of how essential data is being accessed is a serious security issue. Not only is it easier for external attackers to access poorly organised and unmonitored data, it is also exposed to malicious insiders within the company.

The most obvious threat is an unscrupulous employee stealing data such as intellectual property or customer databases for their own ends. The goal could be to sell it on to cyber criminals or a rival organisation, to use as leverage when seeking a new employer, or even to use as the foundation of their own business. In some cases the perpetrator may steal and leak essential data out of spite in an act of revenge, as was seen when a disgruntled IT auditor for supermarket chain Morrisons posted personal and financial details of nearly 100,000 employees online.

Alongside malicious intent, many insider threats are caused by simple human error, such as a mis-sent email or a misconfigured database. Confidential data sent to the wrong email address is, for example, the most common digital cause of a data breach according to the Information Commissioner's Office.

An insider threat can take the form of an external attacker compromising a user’s account and abusing its access privilege. This could be the result of login credentials stolen via social engineering, or simply a brute force attack if the user has a weak password.

 

How can the insider threat risk be mitigated?

 

The first step to combating the insider threat is for an organisation to understand what their crown jewels are – what is the most high-risk data, and why is it at risk? This includes both the potential value to rival firms or to criminals on the dark web, as well as the damage the theft or leaking of the data would cause to the business.

All at-risk data should be protected with strict controls, and access should be kept to a minimum. Organisations must ensure access rights are amended or removed appropriately when employees change roles or leave the company. It is also important to monitor how key files are being accessed, edited, copied or moved, whilst the option to prevent critical files being opened by unauthorised users should also be explored and utilised.

 

Attitude and awareness

 

I often hear about managing insider threats becoming a bigger problem for larger companies, as they have larger systems, more data, and more employees to keep track of. However, the same principles apply to a business of any size, so it’s a matter of putting aside the appropriate amount of time to regularly assess the risk and ensure the right measures are in place to protect data.

Protecting against the insider risk requires buy-in from employees at every level of the organisation and I find it’s often easier to get the board involved with insider threats compared to other cyber risks, perhaps because the threat is quite easily defined. The wider workforce should also have a sense of shared ownership about keeping company data safe and should be given the proper channels to report suspicious or careless behaviour that could lead to a data breach.

With the right technology, processes, and a top-down approach in place, organisations can ensure their mission-critical data is protected from insider threats, whether it’s a case of malicious scheming or simply a mis-typed email address.

By Michele Hanson, CISO, Gatwick Airport*

*Opinions expressed are my own and not representative of my employer.