Businesses worried about keeping proprietary information, financials and other digital data safe should focus on internal controls as much as outside threats, a cybersecurity report suggests.
Breaches and data theft from government agencies and companies ranging from Target to Medtronic in recent years can raise concerns about bad guys using their technical savvy in unsavory ways. Most of the online swiping, however, is an inside job.
“Organizations are overlooking the most harmful data-security threat: their own employees,” said Code42 CEO Joe Payne.
The Minneapolis data-security firm commissioned the 2019 Global Data Exposure Report of 1,028 information security leaders and 615 business decision-makers by Sapio Research of the United Kingdom.
“Fifty years ago, if you were going to leave General Motors, you couldn't take the plant with you,” Payne said. “And the critical information about the production line was locked in a cabinet.”
Now, the ideas and other proprietary information are all digital. Companies have done a good job of sharing the information across the workforce, using tools such as Google Drive, Drop Box, Slack and email to improve collaboration.
“The problem is that now our most important information, whether it's sales prospects or customer lists or source code ... is spread across the organization and is highly portable on a thumb drive or email,” Payne said. “Information is less siloed. But there are unintended consequences. Our study basically shows that 63% of people admit that they took data from their last job and brought it to their current job. Our work indicates it's closer to 100%.”
Controlling inside threats is a “major issue for businesses today,” and it can be difficult to have a totally encompassing system, said Ross Filipek, chief information security officer in Fort Wayne for Symplexity, an information security firm.
Businesses are often quick to roll out technical controls, but also need organizational security policy. They should decide which jobs and employees need authorization to access certain data and “how they should protect it when it's in their care,” he said.
“Policies won't prevent people from doing what they shouldn't be doing,” but they at least spell out organizational standards and expectations, he said.
Security advocates often talk about a concept known as the Least Privilege, meaning various data users are only able to access and interact with information necessary for their job.
A staff-level employee, for example, likely would have no need to access company financial information or those details for individual customers.
And while shared documents might be in vogue, that ease of access should also be a no-no, Filipek said.
“We always recommend organizations don't allow employees to use shared accounts,” he said. “That can get you into trouble a lot of times, because if you have multiple people who know the account name and password,” if one leaves – particularly not of their choice – you have to scramble to change passwords.
“From a technical side, there are a lot of things an organization can do in terms of monitoring who is accessing the information and what are they trying to do,” Filipek said, referring to another industry practice known as Privileged Account Management.
But the Least Privilege concept is more critical. Businesses, he said, want to not just be able to monitor access to certain information, but to prevent employees from misusing it.
Andy Oberlin, who said he worked with Best Buy in the department that is now known for its Geek Squad, is general manager at 4EOS, an office solutions, internet and data security firm in Fort Wayne.
Businesses can employ some relatively low-cost approaches for protecting information, he said, including keeping antivirus software on computers and operating systems up-to-date.
“I know it can be annoying when you get the prompts about updates,” Oberlin said last week. Still, taking action when you get the prompts is preventive.
Oberlin also said password management software can reduce the risk of falling victim to hacking or phishing schemes, particularly based on visits to websites that may have been hacked. Password management software works by having a user remember one password to software that can store dozens of other that are encrypted. Oberlin uses this type of software at home to help protect his family's information.
Although many companies have traditional preventive tools in place, the Sapio Research study said data loss, leak and theft, “particularly among insiders, continues to happen at an alarming pace.”
Said Filipek: “If you haven't sat down and thought about what you're trying to accomplish from a policy perspective, it just makes it more difficult to control.”
The Star Tribune in Minneapolis contributed to this story.
At a glance
A few key findings from the 2019 Global Data Exposure Report of 1,028 information security leaders and 615 business decision-makers:
• Rather than sticking to company-provided file sharing and collaboration tools, 1 in 3, or 31% of business decision-makers also use social media platforms, such as Twitter, Facebook or LinkedIn, 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues.
• Nearly two-thirds of CEOs, or 65%, admit to clicking on a link they should not have, showing that no level of employee is immune to lapses in judgment.
• These types of risk-based actions are why half of the data breaches that companies admitted to experiencing in the previous 18 months have been caused by employees, according to both information security leaders and business decision-makers (50% and 53%, respectively).