Top 16 Tips for Preventing Insider Data Theft

Insider Threats - How to Stop Data Theft - CurrentWare

The damage that trusted insiders can cause is extraordinary. According to the 2020 Ponemon Institute Cost of Insider Threats report the average cost per insider incident was a staggering $11.5 million in 2020.

Follow these tips to protect your company’s sensitive data against theft, misuse, and loss from malicious and negligent insider threats. 

FREE WHITE PAPER

How to Keep Data Safe
When Offboarding Employees

Concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other data?

Click the button down below to learn the best practices for managing insider threat risks & gain access to a checklist of key items you must include in your offboarding process.

Table of Contents

Data Loss Prevention Tips

1) Prioritize What Data Needs to Be Secured

This tip may sound strange. Surely you want to secure all of your data…right?

That makes perfect sense, but it’s not at all realistic. The data your company possesses is going to be constantly expanding, moving, and changing. There simply isn’t a resource-efficient way to protect everything equally. 

Besides, unnecessarily rigid access controls for non-sensitive data are just going to frustrate your end-users, cause unnecessary negative effects on their productivity, and tempt them to bypass your security controls

To help you start prioritizing what data to protect, consider the classes of data your company interacts with.

  • Public Data: Data that is intentionally publicly available and does not require access controls, such as details that are shared on your company website
  • Internal: Data that isn’t publicly available, but it’s also not likely to be sensitive so limited access controls are necessary to protect it. This includes acceptable use policies, employee handbooks, and internal memos.
  • Confidential: Potentially sensitive data that is used internally such as internal pricing documents and contact information. This class of data needs to stay within the company.
  • Restricted: Highly sensitive data such as trade secrets, personally identifiable information (PII), and credit card information. If you are in a regulated industry such as healthcare or finance you are likely to have industry-specific regulations for protecting this class of data. Access to restricted data needs to be limited to an as-needed basis, even amongst your team.

From a data theft prevention perspective you can expect that insider threats are going to be the most interested in confidential and restricted data.

Prioritize Data Security With a Risk Matrix

If you’re not certain how to prioritize the data your company interacts with, you can start by referring to a risk matrix. A risk matrix will help you focus your initial efforts as you refine your data loss prevention strategy.

Image: A Risk Matrix demonstrating how varying degrees of the likelihood of a data breach occurring and the impact it would have will change the level of risk involved. The more likely and higher the impact, the greater the risk.

2) Use Encryption On Storage Drives and Individual Files

Encryption protects sensitive data by obfuscating it. The one way to properly view the data is to decrypt it with a decryption key. Encryption can be applied to entire data storage drives (full disk encryption), emails, and specific files. 

The encryption process is reversible, so the original data is still intact. Those who have the matching decryption keys can view the data normally – anyone without the necessary decryption keys will only see the obfuscated data.

Best practices for encryption:

  • What to Encrypt: Encrypt sensitive data such as trade secrets, PII such as full names or social security numbers, and credit card data.
  • Encrypt Data & Storage: For the greatest security, encrypt individual files AND the devices they’ll be stored in
  • Mobile Devices: Ensure that mobile devices such as laptops and cell phones are encrypted to reduce the impacts of loss or theft

Limiting who has access to the decryption keys to an as-needed basis will improve the efficacy of this tip. It will be less effective against insider threats that are trusted with the decryption keys.

3) Limit Data Collection And Retention

A hand holding a pen goes over the details on a printed graph

The less data that your business has to protect, the better it can allocate its existing resources to protecting what matters. As a best practice you should limit data collection as much as possible and delete any existing data that is no longer relevant to your business.

Periodically culling data that is no longer relevant reduces risk by minimizing the amount of data that would be leaked following a data breach. Retaining data that is no longer relevant to the business may also violate data security/privacy compliance requirements.

4) Limit Access to Sensitive Data

Data access controls are absolutely essential for protecting sensitive data. The classes of data that your Human Resources department requires for their roles will be far different than that of your Finance department. For this reason you should limit who can access sensitive data to an as-needed basis.

  • Data Portability: Sensitive data should not be permitted on portable devices such as USB storage devices, mobile phones, and laptops. 
  • Permission Creep: As roles evolve user accounts may be given additional permissions. Access permissions should be reviewed periodically to ensure that the available permissions are still relevant and necessary. Any permissions that are no longer needed should be restricted until a legitimate need arises.
  • Privileged Access Management: Accounts with elevated permissions (such as admin accounts) are particularly high-risk. A PAM solution can restrict the damage that these accounts are capable of by monitoring and limiting the activity of these accounts.

5) Monitor Every Data-Related Action Your Employees Take

You need to keep a careful eye on how your employees are interacting with data. Anomalous behavior could be an indicator of a malicious insider or an account that has been compromised by an external threat. This tip is especially relevant when it comes to employees that are leaving the company or being dismissed. 

  • Device Control: Block employees from connecting portable storage devices such as flash drives, cameras, and smartphones to company devices unless it is absolutely necessary for their roles. Use device control software to block USB devices, enforce the exclusive use of authorized USBs, and grant temporary access permissions on an as-needed basis.
  • File Operations: Monitor the flow of data by tracking files that are copied, created, renamed, and/or deleted. This is valuable data for investigating the source of a data breach. You can also configure alerts for events that would be considered high-risk in the context of your organization to catch data exfiltration attempts.
  • Suspicious Behavior: Watch for anomalous behavior such as unusually large file transfers, attempts to access data that is not typically needed, visiting personal cloud storage websites, or accessing sensitive data at a higher frequency than usual. 

6) Block and Monitor Data Egress Points

A data egress point is any area that allows data to leave your network. These parts of your network should be carefully monitored and managed to reduce the risk of data loss.

Examples of Data Egress Points:

  • Cloud Storage: Unauthorized cloud storage accounts are a common vector for data theft. Malicious insiders simply need to login to their personal online file storage account and upload their desired files. This threat can be mitigated by blocking cloud storage sites with a web filter and monitoring bandwidth consumption for unanticipated spikes.
  • File Transfer Protocol: FTP allows users to transfer files over networks such as the internet. To protect against this threat you should block network ports used by FTP. The FTP protocol typically uses port 21, though the receiving client can be configured to use a non-standard port. 
  • Email: A common way that data is stolen is by employees attaching sensitive files to emails. Email security risks can be mitigated by blocking access to personal email accounts with a web filter and monitoring email activity with a Secure Email Gateway (SEG). 
  • USB Devices: Portable storage devices such as flash drives, cell phones, and cameras are a convenient tool for stealthily transferring files out of the network. Device permissions should be limited to an as-needed basis and carefully monitored for suspicious activity. 

Endpoint Security Tips

7) Block Employees From Using High-Risk Applications

High-risk applications such as peer-to-peer (P2P) file sharing programs, personal instant messaging apps, and cloud storage apps should be blacklisted from your network to prevent files from being sent through them. This can be accomplished using an application blocker.

8) Use a Mobile Device Manager

A person in a coffee shop. They are using their phone and laptop

An MDM provides greater visibility and control over mobile devices such as laptops and smartphones. Should an employee’s device be lost or stolen the data that is stored on the device can be remotely wiped and the device’s location can be tracked.

An MDM can also protect against malicious insiders. If a mobile device has not been returned following an employee’s dismissal or resignation the device can be readily wiped and located to minimize the potential for sensitive data to be retrieved by the ex-employee.

9) Keep Security Patches Up-to-Date

Software and hardware developers regularly release security updates for their products. Be certain to keep operating systems, software, firmware, and other systems up-to-date to protect your endpoints against the latest known threats.

Physical Security Tips

10) Protect Sensitive Paper Documents

A businessman hands a piece of paper and a pen to their employee to sign

While the modern workforce is largely digital, there are some industries that rely on paper documents. Paper-based methods may also be reserved as a failsafe in the event that digital means become inaccessible. 

  • Limit the Need for Paper: Where possible you should limit the need for sensitive information to be written or printed to a paper format. Digital data collection methods provide greater visibility and control.
  • Establish a Shredding Process: Documents that are no longer needed must be disposed of safely. Companies with large-scale paper usage can outsource bulk paper shredding to a trusted third-party service provider.
  • Secure Paper Documents: Sensitive printed or written documents must be secured in a designated locked cabinet or similarly secure container.
  • Do Not Leave Documents in Printers: As part of employee training you must emphasize the urgency for collecting printed documents. Forgotten documents are a convenient source of sensitive information that insider threats could use.

11) Implement Anti-Theft Measures

Surveillance camera on a wall

Restricting and monitoring physical access to company assets will reduce opportunities for servers, computers, hard drives, and portable storage mediums to be stolen.

Examples of anti-theft measures

  • Keep server rooms and confidential waste bins locked
  • Install fences, gates, and access cards to restrict unauthorized traffic
  • Require the use of security badges to identify employees
  • Install surveillance cameras to monitor high-traffic and high-risk areas

Account Security Tips

12) Have Employees Use Strong, Unique Passwords

A comic by XKCD showcasing how strong passwords can be made by combining a series of words
Source: “Password Strength” from XKCD.com

Reused passwords are an absolute nightmare for data security, yet a shocking 59% of users surveyed in the LastPass Psychology of Passwords Report admit to reusing passwords. 

If a previously used password is made public through a data breach, any accounts that the password was used on are now vulnerable. Using unique passwords for each account limits the amount of damage that can happen when an account is compromised, but it’s tedious to remember hundreds of unique passwords. 

Implementing a secure password manager will ensure that your employee’s passwords are unique and easily accessible. All they will need to remember is a single unique and strong master password that they will use to access the password manager.

How to make a strong master password:

  • Make It Unique: Make it entirely unique from any other password used on other accounts. This includes not simply adding a few numbers to the end of an old password. If a previous password is breached, an attacker will build off of that password to try to access other accounts.
  • Long & Simple: Think of your master password as more of a passphrase. Use a series of words to create long, simple passwords rather than short and complex ones. These are easier to remember for those that need it and harder for attackers to guess. 

13) Use Multi-Factor Authentication (MFA) on All Accounts

MFA requires users to combine their password with an additional authentication measure such as an SMS, fingerprint scan, authentication app, or a one-time password. This will better protect user accounts should an insider threat attempt to use a coworker’s account in their attack.

14) Separate Business and Personal Assets

Do not allow employees to store or access corporate data using their personal accounts or devices. The amount of monitoring and control that is available for personal devices is limited; a departing employee could accidentally or maliciously retain company data on their devices after their employment has concluded.

15) Limit the Number and Use of Admin Accounts

Screenshot of a login screen. Admin is the username and the password is hidden

Privileged accounts such as admin and superuser accounts have fewer (or no) restrictions on what they can do in your network. These accounts need to be closely monitored and controlled to ensure that they are not being abused by insider threats or other bad actors.

Tips for securing privileged accounts

  • Do not allow the use of privileged accounts for routine tasks
  • Implement greater monitoring and control over privileged accounts
  • Limit how many privileged accounts are available
  • Delete privileged accounts that are no longer needed
  • Monitor all changes to privileged accounts to detect suspicious events

16) Do Not Give Users Control Over Corporate Accounts

Admin-level control of accounts should not be given to individual employees. Instead, applications and services that are needed by your business should be managed by your IT personnel. This helps to ensure that company accounts are adequately secured, backed up, and not lost to disgruntled employees. 

BONUS: Data Security Tips for Employee Offboarding

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired
  • 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
  • 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Conclusion

It is absolutely critical that your organization is protected against insider data theft. There are no shortage of opportunities for malicious or accidental insiders to leak sensitive data.

To best protect data you need to control where it will be stored, limit access to an as-needed basis, monitor employees for suspicious activity, and implement a layered security approach that addresses as many potential vulnerabilities as possible.

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.