The damage that trusted insiders can cause is extraordinary. According to the 2020 Ponemon Institute Cost of Insider Threats report the average cost per insider incident was a staggering $11.5 million in 2020.
Follow these tips to protect your company’s sensitive data against theft, misuse, and loss from malicious and negligent insider threats.
FREE WHITE PAPER
How to Keep Data Safe
When Offboarding Employees
Concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other data?
Click the button down below to learn the best practices for managing insider threat risks & gain access to a checklist of key items you must include in your offboarding process.
This tip may sound strange. Surely you want to secure all of your data…right?
That makes perfect sense, but it’s not at all realistic. The data your company possesses is going to be constantly expanding, moving, and changing. There simply isn’t a resource-efficient way to protect everything equally.
Besides, unnecessarily rigid access controls for non-sensitive data are just going to frustrate your end-users, cause unnecessary negative effects on their productivity, and tempt them to bypass your security controls.
To help you start prioritizing what data to protect, consider the classes of data your company interacts with.
From a data theft prevention perspective you can expect that insider threats are going to be the most interested in confidential and restricted data.
If you’re not certain how to prioritize the data your company interacts with, you can start by referring to a risk matrix. A risk matrix will help you focus your initial efforts as you refine your data loss prevention strategy.
Encryption protects sensitive data by obfuscating it. The one way to properly view the data is to decrypt it with a decryption key. Encryption can be applied to entire data storage drives (full disk encryption), emails, and specific files.
The encryption process is reversible, so the original data is still intact. Those who have the matching decryption keys can view the data normally – anyone without the necessary decryption keys will only see the obfuscated data.
Best practices for encryption:
Limiting who has access to the decryption keys to an as-needed basis will improve the efficacy of this tip. It will be less effective against insider threats that are trusted with the decryption keys.
The less data that your business has to protect, the better it can allocate its existing resources to protecting what matters. As a best practice you should limit data collection as much as possible and delete any existing data that is no longer relevant to your business.
Periodically culling data that is no longer relevant reduces risk by minimizing the amount of data that would be leaked following a data breach. Retaining data that is no longer relevant to the business may also violate data security/privacy compliance requirements.
Data access controls are absolutely essential for protecting sensitive data. The classes of data that your Human Resources department requires for their roles will be far different than that of your Finance department. For this reason you should limit who can access sensitive data to an as-needed basis.
You need to keep a careful eye on how your employees are interacting with data. Anomalous behavior could be an indicator of a malicious insider or an account that has been compromised by an external threat. This tip is especially relevant when it comes to employees that are leaving the company or being dismissed.
A data egress point is any area that allows data to leave your network. These parts of your network should be carefully monitored and managed to reduce the risk of data loss.
Examples of Data Egress Points:
High-risk applications such as peer-to-peer (P2P) file sharing programs, personal instant messaging apps, and cloud storage apps should be blacklisted from your network to prevent files from being sent through them. This can be accomplished using an application blocker.
An MDM provides greater visibility and control over mobile devices such as laptops and smartphones. Should an employee’s device be lost or stolen the data that is stored on the device can be remotely wiped and the device’s location can be tracked.
An MDM can also protect against malicious insiders. If a mobile device has not been returned following an employee’s dismissal or resignation the device can be readily wiped and located to minimize the potential for sensitive data to be retrieved by the ex-employee.
Software and hardware developers regularly release security updates for their products. Be certain to keep operating systems, software, firmware, and other systems up-to-date to protect your endpoints against the latest known threats.
While the modern workforce is largely digital, there are some industries that rely on paper documents. Paper-based methods may also be reserved as a failsafe in the event that digital means become inaccessible.
Restricting and monitoring physical access to company assets will reduce opportunities for servers, computers, hard drives, and portable storage mediums to be stolen.
Examples of anti-theft measures
Reused passwords are an absolute nightmare for data security, yet a shocking 59% of users surveyed in the LastPass Psychology of Passwords Report admit to reusing passwords.
If a previously used password is made public through a data breach, any accounts that the password was used on are now vulnerable. Using unique passwords for each account limits the amount of damage that can happen when an account is compromised, but it’s tedious to remember hundreds of unique passwords.
Implementing a secure password manager will ensure that your employee’s passwords are unique and easily accessible. All they will need to remember is a single unique and strong master password that they will use to access the password manager.
How to make a strong master password:
MFA requires users to combine their password with an additional authentication measure such as an SMS, fingerprint scan, authentication app, or a one-time password. This will better protect user accounts should an insider threat attempt to use a coworker’s account in their attack.
Do not allow employees to store or access corporate data using their personal accounts or devices. The amount of monitoring and control that is available for personal devices is limited; a departing employee could accidentally or maliciously retain company data on their devices after their employment has concluded.
Privileged accounts such as admin and superuser accounts have fewer (or no) restrictions on what they can do in your network. These accounts need to be closely monitored and controlled to ensure that they are not being abused by insider threats or other bad actors.
Tips for securing privileged accounts
Admin-level control of accounts should not be given to individual employees. Instead, applications and services that are needed by your business should be managed by your IT personnel. This helps to ensure that company accounts are adequately secured, backed up, and not lost to disgruntled employees.
The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.
These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.
It is absolutely critical that your organization is protected against insider data theft. There are no shortage of opportunities for malicious or accidental insiders to leak sensitive data.
To best protect data you need to control where it will be stored, limit access to an as-needed basis, monitor employees for suspicious activity, and implement a layered security approach that addresses as many potential vulnerabilities as possible.