Sometimes Employees Are Just As Much of a Risk as Malicious Attackers

US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.

Bill Blake, president of Fasoo, Inc., was quoted in the article saying “What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information.  Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”

The first step to reducing the risk is to take control over all employee access and permissions. The second step is to consistently monitor and follow up on these protocols. How many employees really need access to sensitive data? For the employees who do access it, what are they doing with it? Who are they sharing it with? An organization that places security as a top priority should be able to easily answer these questions.

Deploying technology to help discover, protect and control confidential data at all times would be the next logical step once the organization can answer these questions.  Limiting access to select groups is important, but having a way to dynamically change that access and even revoke it on information already shared provides a more robust approach to protection.  Auditing and monitoring is key to understanding changing business requirements, since roles and responsibilities are always changing.  Coupling policy changes with technology that can enforce those policies provides the best way to invoke a “zero-trust” system.

Think of sensitive data as a toddler at the park…you must always keep an eye on it, even if from afar.

Leave a Reply