With all the headlines about WikiLeaks and the constant barrage of data breaches, it can be hard to understand where to focus your security efforts. Most organizations have a combination of firewalls, intrusion detection systems, application proxies, virtual private network (VPN) servers and other perimeter defenses geared to keep people out.
That’s important, but according to the 2010 Verizon Data Breach Report, most data breaches are caused by people already on the inside. Almost 50% are existing employees stealing confidential information. The main motivation is money, revenge or harming your organization in some way.
The other major problem is employees unintentionally losing information. Some of this is deliberate, but a lot of times it’s accidental. A report by IDC on Insider Risk Management says that businesses reported an average of 14.4 incidents of unintentional data loss caused by employee negligence in the past 12 months. I assume the numbers are higher, since a lot of times organizations may be unaware of some incidents. The biggest problems were employees losing removable media, losing portable computers (including smart phones), and unauthorized access to confidential information. Sometimes it’s just a matter of being careless, but whether it’s deliberate or not, your sensitive information is getting out.
Leaked data can cause legal, financial and customer problems. Stealing customer data is bad enough, but a lot of times someone wants your internal correspondence or your next product design. Think about the impact to your business if all your competitors knew the details of your upcoming products before you released them. Or how about your plans to defend yourself in a lawsuit. Just think about all the leaked memos from the tobacco companies which ultimately caused them billions of dollars in damages.
A key priority in your business strategy should be to reduce the risks to your critical information by internal users. That begins by understanding what you have and then determining how to protect it. Don’t just think about your employees. Think about everyone that comes into your organization physically and virtually. That could be contractors, consultants, business partners, legal advisors, auditors and even customers.
You need to understand who has access to information and if they should have access. There needs to be a business reason to give someone access to confidential information. You need a combination of policy, process and technology. I could put a lock on a filing cabinet with confidential documents, but if I hand an unauthorized person the key, my security vanishes.
Organizations need to focus on insider threat management. If you only rely on IT to safeguard confidential information, you are living under a false sense of security. It’s everyone’s job to control and protect your information. You first need to understand the risks to your business and then create policies and processes to mitigate those risks. Once you know what to protect, you can deploy technologies to lock things down. Assume the worst and prepare for it. Using persistent protection ensures that if something important does get out, it is useless to anyone not authorized to have it.
Photo credit somegeekintn