Companies face no shortage of data security threats. From malware to phishing, DOS attacks to ransomware, keeping your most important asset – your data – safe from malicious actors is no easy feat. Yet companies so often focus on protecting themselves against external threats that they may ignore what’s lurking behind their own office doors.
The greatest threat to high-growth companies today – especially those that collect and share sensitive information like PII, PHI, and other highly regulated data – is not from hackers, but from insider threats. While you may think your employees are trustworthy, no organization is immune. Seventy percent (70%) of data breaches are caused by current or former employees, contractors, or partners who have access to an organization’s systems or sensitive information.
Detecting insider threats is not easy for security teams. Typically, the insider already has access to sensitive data and knows where to find it. Once a company is aware of an internal breach, it’s too late and the data has already been compromised. However, a modern and effective approach to securing sensitive data that is focused on data discovery and classification, access control, and data masking can help protect your company from the inside out.
Insider Threats Can’t Stop, Won’t Stop
The past two years have seen rapid digital transformation as companies adjusted to remote and hybrid workforces, focused on bettering the customer journey, embraced new technologies like AI and machine learning to improve business processes, and relied on the cloud for nearly everything. This also, albeit unintentionally, set the stage for increased insider threats.
According to the 2022 Cost of Insider Threats Global Report from Ponemon Institute, 67% of companies are experiencing between 21 to over 40 insider incidents per year, an increase of 60% from 2020. Insider threats can range from negligent – like the employee who emailed himself files and unknowingly exposed sensitive data on thousands of customers – to malicious, like when a former employee steals trade secrets or sells customer data for own personal or financial gain. It takes an average of 85 days to contain one incident, costing over $480,000 for each negligent incident and nearly $650,000 for each malicious incident.
The traditional means of securing data are no longer enough. It was recently reported that 83% of employees accessed accounts from their previous employer following their departure from the company, with 56% admitting that they had used this access to harm their former employer. That statistic jumped to 70% among those who were fired from their job.
Take, for example, the recent data breach reported by fintech company Block (formerly known as Square). In April 2022, Block confirmed that a former employee downloaded reports from the mobile payment app Cash App that contained information for 8.2 million users. The employee had been granted access to this data as a part of their job responsibilities, but the information was accessed without permission after their employment ended.
This is just the most recent in many, many examples of insider threats. Insider attacks can have a variety of impacts on a business, from steep regulatory fines for non-compliance to financial losses, loss of customer trust, and reputational damage. But, data breaches like the Block example are fully preventable – when there are good data security practices in place.
Putting The Right Data Security Practices in Place
Consider this: Your company is like a castle. You’ve taken every measurable step to defend your castle from outside attacks – you have your moat and deadly beasts ready to chomp at the heels of anyone trying to break in (your perimeter security and firewalls) and your armed guards further protecting the castle for those who make it past the first line (your application security). Your castle may be secure from outside forces, but your kingdom has thieves hidden within its walls. Until the entire palace is safe – from both external and internal threats – the crown jewels (your data) remain at risk.
To better arm themselves against attacks from the inside, today’s modern, high-growth organizations need to embrace a new approach to protecting sensitive data. Here are a few best practices to get started:
- Identify and classify sensitive data: Data discovery is the basis of any data security strategy, because before an organization can protect its most sensitive data, it must understand it and locate it. Protecting against data breaches requires protecting all data, but most organizations manage such large volumes of data that it’s common for some to be forgotten or misplaced. Data teams and security teams should collaborate to build an always-up-to-date inventory of data by scanning all data stores, identifying and classifying sensitive data, and organizing the data based on risk and value to the organization. As Arun Buduri, VP of Engineering, IT and CISO at Innovaccer, recently shared at the health care roundtable at the Data Leader Summit: “It’s all about going back to the fundamentals. Someone who is not supposed to have access to the data shouldn’t have access to the data. It’s as simple as that.”
- Protect sensitive data with data masking: Companies can protect sensitive data at query run-time with dynamic masking, based on security policies, identities, data locations, and data types. Data masking hides sensitive information by replacing it with anonymized or randomized data so even if unauthorized parties access the data, it won’t be useful. Data masking can even be applied to part of a data table, so that non-sensitive data is shown as is and sensitive data is masked. Data masking makes it possible to share sensitive data without compromising it, and supports compliance for GDPR, CCPA, and other regulatory requirements.
- Leverage fine-grained access controls: Granular access controls like Dynamic Masking, Row-Level Security, and ABAC (Attribute Based Access Control) can secure data without the need of engineering resources, regardless of how the data is stored or consumed. Access controls are physical and digital ways of limiting access to critical systems and data. Multi-factor authentication should be layered on top of access controls to further verify user identities before granting access. It is also important to have controls in place to prevent users from manipulating classification levels – only authorized users should be able to promote or demote data sensitivity.
- Decentralize data access workflows: According to James Richards, engineering manager responsible for data platforms and BI at Tractable, “Self services is the biggest challenge when it comes to scaling up. It’s absolutely crucial to scale effectively, but the organization doesn’t understand what that entails. It’s more than just creating dashboards – it’s everything around security, governance, data reliability and quality, cost performance management, accountability … there’s a huge number of things that need to be solved. But if it can be done effectively, it’s a huge growth catalyst.” Whether using self-service access, role-based access controls, or attribute-based access controls, automated workflows can facilitate data access requests and manage approvals without any added code or modifications to current data flows. Analysts, data scientists, and engineers can access the data they need quickly and without complex user and role configurations, and security teams can ensure that data security and compliance policies are tracked and enforced.
- Continuously audit and monitor data access: By automatically tracking and tracing every database query and result, data and security teams can get a real-time audit trail and visibility into when sensitive data was accessed, by whom, and why. This can also help teams fine-tune their security practices moving forward.
Protect Sensitive Data with DataSecOps
Data Security Operations (DataSecOps) combines these data security best practices into one, integrated approach to automatically protect data from the inside out.
DataSecOps protects sensitive data from insider threats by providing real-time visibility into what data is being accessed and by whom. DataSecOps acts like a middle layer that checks requests in real-time and cross references them against privilege based on roles and responsibilities – making it possible to secure sensitive data in minutes, with zero impact to the data infrastructure and zero need for IT and data engineering resources.
Companies must also explain any data security policies and their importance, train their employees to be aware of inside breaches, and show them how to manage sensitive data and respond to suspicious activity. A sound DataSecOps strategy combined with cybersecurity awareness training is the ammunition that companies need to combat insider threats while keeping data accessible enough to drive innovation.