Data breaches caused by internal users resulted in 43 percent of the data loss in organizations, with half of those breaches intentional, according to a new study on data exfiltration from Intel Security. Internal users include employees, contractors, and third-party suppliers. Many of these people are privileged users who have legitimate access to sensitive information.
Customer information, employee information and intellectual property were the top targets for internal users; they were also the top targets for external hackers. Microsoft Office, text and PDF documents were the most common format of data stolen by internal users, probably because these documents are stored on employee devices and easily accessible file shares, and many organizations place few controls on the data once it is no longer in a database. Since 80% of an organization’s data is unstructured content, it makes sense that insiders would target these types of documents.
Perhaps the most interesting part of the survey is how data was taken. 60 percent of information was stolen using electronic means, like file transfer and email, but 40 percent was stolen using physical media. The most common approach was on laptops, tablets or USB drives. Mobile phones were involved in 15 percent of physical thefts, but printed copies, CDs, DVDs, and faxes are still being used to extract data from companies.
While perimeter-based security still seems to be the focus for stopping this type of data exfiltration, it is obviously not getting the job done. DLP and intrusion detection and prevention technologies are valuable for focusing on data and its movement through a network, but it doesn’t help when a privileged user has access to sensitive data. If I need to access PII or PHI as part of my job, these technologies will not stop me from accessing the information.
So how do you stop this problem?
Determine who should have access to sensitive data and apply strong encryption and permission controls to the documents containing that sensitive data. Once implemented you need to monitor access to those documents to determine a baseline of normal behavior so you can understand when someone deviates from the norm. You should monitor who is viewing, editing and printing documents and if they are doing something that isn’t typical for them.
Privileged users need access to sensitive documents, but you need to control who can access them and what they can do with them. Applying access and permission controls ensures that if someone exfiltrates sensitive data, it is rendered useless to external parties. Applying these controls and monitoring document usage helps you predict and deter insider threats before they cause harm.
How do you stop privileged users from exfiltrating sensitive data?
Photo credit GotCredit