Reports emerged yesterday that UK media regulator Ofcom suffered a massive data breach when a former employee stole sensitive information on television companies and gave it to a major broadcaster, which incidentally is his or her new employer. The person who stole the information was not identified in reports. The former employee downloaded as much as six years worth of data before leaving the company. The intent of the action was to gain a competitive advantage in the market.
Even though Ofcom says it takes data security very seriously, it is most likely missing some of the blind spots that companies ignore. Most organizations focus their security on the perimeter, trying to protect networks and systems from outside hackers. They rarely look inward, assuming that an employee is a trusted person who will always have the company’s best interests in mind.
Insider threats can take two forms: accidental and malicious. This was a case of malicious intent because the person intended to steal sensitive information for personal gain. Privileged users can pose a greater threat to your business than hackers, since they already have access to critical business data. This person had legitimate access to this data presumably to do their job. Apparently there was nothing in place to stop the person from taking the data and sharing it with anyone outside the company.
The other insider threat is someone who accidentally shares sensitive information. This could be unintentionally sending a file to the wrong person, losing a laptop or thumb drive or being tricked into giving away login credentials to the wrong person. There is no malicious intent here, but the consequences can be the same.
The only way to manage the situation is to understand what data is sensitive and lock it down to control its access at all times. The best way is discover, classify and protect the data as you create and share it. This should apply to files you create daily and information you download from databases or information systems.
A layered approach can apply dynamic permission controls to data that can change as business requirements change. This allows you to automatically adjust security policy based on changed content within a file. For example, if you have a file that is for all internal employees, but you add PII to it, you need to increase the security to limit access because of the sensitive nature of what’s inside.
It’s also important to understand usage patterns of your sensitive information to help you determine behavioral anomalies that could indicate an insider threat. If normal behavior for the ex employee was to open a few files a day, but all of a sudden they are opening hundreds, they may be stealing sensitive information. Monitoring this behavior could prevent a possible data breach.
If Ofcom had encrypted its data and applied strict permission controls that stay with it regardless of location, this wouldn’t even be a story. The employee could have copied files to share, but they would be useless, since the person couldn’t read the information inside.
Combating insider threats can be challenging, but your best defense is to protect and control confidential data at the source so it is secured at rest, in motion and while in use regardless of device, storage technology, storage location, and application.
