Has your organisation been hacked by an outsider lately? The answer to that question is probably no!
Outsider threats are generally the threats that have been addressed with traditional security measures such as Firewall, DLP, Gateway Protection, etc. Let us call these a function of Data Security. These functions have
mostly been addressed in most organisations and therefore do not need further attention here. My disclaimer here is that I assume you have a good solution with AMC in place and get regular updates critical to the threat environment.
But I ask you this simple question. Who can cause you more damage, a thief who has entered your house, has limited time and movement abilities to find, secure, and escape with your precious life’s work - or is it your trusted employee who knows where you keep your valuables and your schedule and one day becomes disgruntled. In quite the same way, your employee can cause you far more damage than an outsider.
Insider threat contributes to more than 64 percent of data breaches in any organisation: Digital Guardian.
Insider threat breaches can cost hundreds of thousands of dollars (often millions more). Increasingly companies are becoming more aware of the risks that insiders can pose to the company's data security today than in the past. It's the threats that originate from inside that are much more difficult to prevent and detect using one-size-fits-all security measure. The function of these would be categorised as
Ans. Data Protection.
Companies are losing tens of thousands of rupees per employee per year as Cost of Data Breach. The European Union, much more so than the US has known and recognised the benefits of Data Protection since the late 1990s and laid down legislation to protect sensitive consumer data shared with public companies. We must strive to understand how to go about securing one’s own unstructured data, so we must ask ourselves the following questions:
WHO CARES? WHAT data is truly sensitive? WHO should have access to it? HOW is the data to be handled? WHEN should the protection policy (in your organisation) change? WHERE should the data be protected?
In large and complex organisations human error permeates the answering of the above as data that is sensitive to one part of the organisation may not be to another, or simply that a well-meaning employee could erroneously share that data outside the organisation, or worse yet - a malicious insider has decided to use that data to his / her benefit thereby hurting the organisation.
In recent cases, the photos of internal documents, highlighting stock price sensitive information, of leading publicly listed companies were shared on social media before results were announced to Sebi and the bourses. The companies were asked one
pertinent question - what measures have you taken to prevent such occurrences? The firms were not in a position to answer this and therefore invited inquiries. They got away without much in fines this time around, but the next time? Who knows … 36 percent of data breaches come from ignorant or careless user actions that inadvertently cause security breaches, while 52 percent of employees see no security risk to their employer in sharing work logins. Insider threat personal study – ISDecision
I mean, really??? Would you share your Credit Card / Payments Bank / Online Wallet / Online Banking Passwords or OTPs. NO!!! Then why would you share your work login? Simple -- lack of a monetary value being placed on the data you handle. Value of data can be highly subjective:
Therefore it becomes critical to take the decision making out of the hands of the users and make the same an organization-wide policy-driven decision which can be enforced through role / user-based access control policies.
Now how do we do that? In short - you have enterprise security in place for external threats, you must simply complete the “Enterprise Security Puzzle” keeping in mind your internal threats. To put it simply - you must answer the above questions for yourself, put policies in place (usually hundreds) to take the decision out of the hands of the user, and choose the right software tools to enforce these hundreds of policies in your regular course of work; making sure to evaluate the policies and make necessary changes after the fact.
Why should this matter to
? Ans. YOU
Forgetting for a moment that the RBI (for banks and NBFCs), Irdai (for insurance companies and brokers), and Sebi (for listed public entities) have already issued guidelines for data protection which will soon become a tangible law with a roadmap for implementation - (briefly put) it has been known to increase security, improve compliance, decrease costs, and improve productivity… not to mention reduce monetary loss arising from security breaches.
It is simpler to say all these things rather than act on them simply because each organisational environment is different and complex at the same time. But here’s the silver lining to this dark and ominous cloud - This is being done in the EU for the last 20+ years. The products developed by OEMs for this market have encountered all the above problems and much more and been effective despite the facts. I mention the EU because the guidelines issued by the regulators are based on the laws already enacted by the EU. So, in effect, a best practices guidebook is already written for you.
FAQs Can I Enforce Corporate Policies? …and the guidebook will tell you: That the solutions on offer enforce corporate policies and do not rely on users to know, understand, reason with or be willing to apply policies to data. Can I allow it via any media? …and the guidebook will tell you: That the solutions on offer allows data to be shared via any media and still uphold corporate policies. Can I have a zero extra click environment to achieve it? …and the guidebook will tell you: That some of the solutions on offer do not impact users’ workflows, as it does not demand users to click on any extra buttons, pop-ups, or combo boxes, the remaining impact minimally. Can I not need to onboard “externals” into my systems and not require to own nor software licence? …and the guidebook will tell you: That some of the solutions on offer do not require enterprises to onboard, nor manage “external users” identities', but the other have a varying degree of complexity in terms of a solution. Can I then know who did what, when and how?
…and the guidebook will tell you: That the solutions on offer deliver a comprehensive audit trail that enables leveraging SIEM tools to do data analytics
The work has already been done for you, now it becomes a matter of ‘
Organisational Will”. Will you / your organisations take heed? Utkarsh Morarka is co-founder and business development head,
IndusOne Business Solutions.