Jean Patrice Delia was an engineer at GE when he decided to steal company data and use trade secrets, pricing information, marketing data, and other documents and funnel them to his business partner to compete against GE. After an FBI investigation, Delia was arrested and sentenced to two years in prison and ordered to pay $1.4 million in restitution. His business partner, Miguel Sernas, spent nearly a year in jail and was also ordered to pay $1.4 million.
A disgruntled Tesla employee exported significant amounts of company data and sent it to a third party outside the organization. Martin Tripp exported Gigabytes of Tesla data, including confidential photos, video of company manufacturing systems, and financial data. He admitted installing code on fellow employees’ computers to continue stealing data even after he left the company. While Tripp claimed whistleblower status, he was ordered to pay Tesla $400,000.
While both cases led to legal action and the companies were able to recover some money, the damage was done and it took years to conclude the cases.
These are just a couple of examples of known data breaches due to insider threats.
The Verizon 2021 Data Breach Investigations Report (DBIR) studied nearly 80,000 incidents and more than 5,200 data breaches. They found that 85% of breaches involved a human element. Employees may be careless with information, unwittingly provide threat actors with login credentials, or be victims of phishing attacks. More than one in five attempts were also caused by malicious activity by employees.
Over the past few years, the number of incidents involving insider threats has risen by nearly 50% and it’s cost organizations millions of dollars to mitigate the damage after the exposure of the company, employee, and customer data.
With more work being done remotely, data is even more vulnerable. Nearly 80% of IT leaders admit their company data is more at risk from insider threats, especially if they adopt a permanent hybrid work environment. Truly, it’s not just cybercriminals you have to worry about. You also need to protect your data from insiders.
Most Common Types of Insider Threats
Not all data leaks are breaches and are the result of malicious acts. Most of the time, incidents happen because employees fail to follow security protocols or don’t take them seriously. By far, most data breaches occur because of human error.
Phishing and business email compromise, clicking on malicious links or attachments, and giving outsiders access to company login credentials are among the threats.
Other insider threats include:
Departing Employees
One study showed that a quarter of employees admitted they took data with them when leaving their company. While most take material they created, 25% also admitted they took data they did not create. The overwhelming majority of those surveyed said they didn’t see anything wrong with doing it even when companies had policies in place to prevent data theft.
Company Executives
Company executives generally have access to escalating levels of data and may not always play by the same rules as everyone else. Especially when IT leaders report to executives, it may be challenging to get C-suite execs to follow cybersecurity best practices.
Executives may also feel they have ownership of the information they create or use, and feel comfortable taking it with them or sharing it — even if they should know better.
Conscientious Objectors
Not everyone in the company may agree with decisions that are made. Employees may be unhappy about policies or actions and want to get the information out there. Depending on the actions, some may feel justified in sharing sensitive information with the public, media sources, or regulatory agencies.
Protecting Your Data from Insider Threats
Protecting your data from insider threats requires a proactive approach to data security. Employee training can help educate workers on security threats and company protocols of safe data handling.
Other strategies include:
Data Encryption
All sensitive data within your network should be encrypted. When data is in transit, such as email, it should be protected by Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for safe transmission so that it cannot be read if intercepted.
Secure Email Gateway
A secure email gateway can filter email and block outside threats from accessing your network. The best systems will employ multiple strategies to protect your data from external threats, including:
- Anti-Spam
- Anti-Virus
- Anti-Spoofing
- Anti-Abuse
- Email Authentication
- Account Hijack Detection
- Blocklisting and Allowlisting
A secure email gateway can also protect your business from human error. The best systems will offer data leak prevention by also filtering outbound email. This flags and prevents the unauthorized transmission of sensitive information such as credit card numbers, social security numbers, and other confidential company data identified by your security policies outside of your network.
Using SecurityGateway™ for Email Servers or the cloud-hosted SecurityGateway service from MDaemon Technologies, for example, you can minimize data leakage by enabling preset rules or creating custom rules to filter specific types of data or terms that you identify. When such information is found, you can configure specific actions to take, such as encrypting the message or sending it to quarantine for administrator review.
Behavior Monitoring
When you uncover unusual employee activity, it should trigger further investigation. For example:
- An employee downloads large amounts of data.
- An employee accesses applications or data that are outside of their normal workload.
- An employee accesses your network at unusual times or unknown locations.
- An employee signs on to your network on their days off.
Creating security logs with alerts for unusual activity can help you detect warning signs of potential insider threats.
Managing Access Levels
Employing the Principle of Least Privilege is also an important security measure to prevent unauthorized access and distribution. This principle states that access should only be granted to those with a verified business reason. Any non-essential data or applications should be restricted from those without a reason unless they get prior authorization.
Employing a Zero Trust framework requires every user to be authenticated, authorized, and validated for security configurations before gaining access to data or applications. When deployed in the application or data layer, this helps segment the data to prevent lateral movement from threat actors inside the system.
Protecting Remote and Distributed Workers
Over the past two years, more employees than ever are working remotely or at distributed worksites. By the end of 2022, projections are that 25% of all professional jobs in North America will be done remotely. This dramatically enlarges the potential attack surface.
People working remotely are often working on public or unsecured Wi-Fi, home routers, and shared devices. Besides educating remote workers about the additional exposure that comes from working outside the office, organizations should deploy a Secure Access Service Edge (SASE) and software-defined wide area networks (SD-WAN) to enforce security policies on all users, regardless of where they are working or accessing company resources.
For each session, SASE performs an ongoing assessment of risk and manages user sessions to enforce security policies based on:
- The identity of the person accessing resources
- The health and behavior of the device
- The sensitivity of the data being accessed
- Company security and compliance protocols
Mobile Device Management
According to Gartner, a laptop is stolen on average every 53 seconds in the U.S. Some 70 million smartphones are lost or stolen every year with just a 7% recovery rate. When company data is stored on mobile devices, it puts your business at risk of data leaks. It’s the same story for devices that have remote access even if data isn’t being stored locally.
Mobile device management (MDM) software provides IT administrators with control to enforce security policies on mobile devices, segment and encrypt data, and wipe devices when they are lost or stolen. MDM can also manage what apps can be installed, allow and block site access, and enforce other password and security roles for individual devices, even on BYOD.
Mitigating Insider Theft
The Cybersecurity & Infrastructure Security Agency (CISA) recommends a four-step process to help mitigate insider theft:
- Define
- Detect and identify
- Assess
- Manage
Define
Organizations need to define what constitutes a threat and potential security flaw.
Companies should also periodically review their security and compliance policies along with an inventory of where and how their sensitive data is stored and accessed. Today’s networks have become complex, especially in companies with multiple locations that deploy hybrid or multi-cloud approaches. IT leaders need a detailed roadmap of where assets are deployed and how they are interconnected.
Detect and Identify
Successful insider threat programs use both human and technological resources to detect and identify vulnerabilities.
Assess
Besides threat prevention programs, companies should have an incident response team (IRT) and a strategic plan in place to quickly assess and respond when a security lapse is reported.
Manage
Threats must be managed and mitigated as quickly as possible to limit further damage and protect assets.
It Takes a Proactive Approach to Data Security
Managing insider threats requires a proactive approach, using best practices for network and data security, and active monitoring to detect and mitigate threats. For more information about securing your email from internal and external threats, contact the email security experts at MDaemon Technologies today.
