Article highlighting how the biggest data security threat comes from the inside
October 17, 2013 |
The PC World article Biggest data security threats come from inside, report says highlights the main threat to data security comes from within an organisation. The story is based on a report by Forrester, Understand the State of Data Security and Privacy. The Report found that that only 42%of small and midsize business workforce received training on how to remain secure at work. Only 57 % said they’re even aware of their organization’s current security policies and that insiders are the main source of data breaches with 36% of breaches stemming from inadvertent misuse of data by employees.
It provides:
While threats to data security and privacy are often perceived to come from the outside, all signs point to internal threats being just as dangerous, intentional or not.
Forrester recently released its Understand the State of Data Security and Privacy report, which offered insight on the reasons behind data breaches, with internal threats emerging as the leading cause. The survey—which featured respondents from Canada, France, Germany, the U.K., and the U.S. from companies with two or more employees—also covered other topics, including how security budgets are being allocated and the changing landscape of security teams’ responsibilities.
According to Forrester’s research, insiders take the cake as the top source of breaches in the last 12 months, with 36 percent of breaches stemming from inadvertent misuse of data by employees. Obviously, the issue here is ignorance; the study’s numbers indicate that only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they’re even aware of their organization’s current security policies.
“People don’t know what they don’t know,” said Heidi Shey, a Forrester analyst and the author of the report. “You’ve got to give them some kind of guidance and guard rails to work with.”
What to watch
It’s also important, however, that the business has some amount of visibility to what’s happening on its networks, given that 25 percent of respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year. While a lot of security focus is on looking outwards and what’s coming in, Shey said, there also needs to be some attention being paid to looking inwards and seeing what’s going on within the company and what’s going out.
There could be, for example, someone who has employee level access to segments of the network so everything they do looks like employee activity. As such, companies often aren’t looking at something like that even though it could be suspicious.
“Security teams need to look at this and ask, is this normal? Is this a normal pattern? Is this what the typical employee does as part of their work, or is this behavior out of the ordinary?” Shey said. “Spotting these kinds of patterns is one way to address that issue.”
Of course, implementing the means to track this kind of behavior is often easier said than done. While the survey results indicated that 17 percent of the collective security budgets of the respondents was going towards data security (the second highest allotment behind network security at 21 percent), that doesn’t mean as much if the budgets themselves are light on funds in the first place. As such, how exactly these companies choose to invest in data security solutions is important.
Often, companies take their budgets and only (or mostly) invest in technology and expect it to do the rest of the work for them, Shey explained. They’re not investing in the front end, like internal processes or policies, that aren’t necessarily technology. Some of these solutions need to be fine-tuned or fixed so they look for exactly what the company wants.
“Until they get their house in order on the front end, anything they throw on the other side is not as effective as they would have hoped or expected it to be,” Shey said. “If you don’t know what your data is or what you need to protect, you can’t do much to protect it properly.”
Suggested solutions
Since some of the solutions, like data leak prevention, are not a silver bullet, Shey recommended a more holistic approach to security by using a data control framework. Things like data leak prevention and encryption are useful for data protection, she said, but they’re very tactical. “You need to be more strategic on a higher level,” she said. “That’s where this kind of framework comes in.”
The framework is split up into three parts, the first of which involves a company defining its data, the very thing it wishes to protect. So aspects like data discovery, classifications, and determining what exactly the company values all come into play here.
Then companies need to dissect their data. Companies typically have traditional reporting tools, said Shey, which tell them about alerts and events. They can then analyze this data and see what information they can glean about visibility, their environment, and what exactly is going on in that environment. They can also look at data flows to see where it goes and how it’s being used. By looking at their security data and info about their data, companies can determine the requirements that need to be put on the type of data they’re handling.
The final part of the framework is, of course, defending. Defending and inspecting access controls, proper data disposal (getting rid of data that is no longer needed, as it could be a liability), and killing or encrypting data are all imperative in carrying out the last step of the data control framework.
“The framework is a way we found to be really helpful with enterprise clients,” said Shey. “It’s a good way to think about this whole big picture view on how to handle and treat data in the enterprise.”
Security teams are beginning to take on more responsibility, too. When it comes to privacy, security is only one aspect of the larger picture and as such, IT security groups generally are not the only ones involved. The survey results, however, indicated that 30 percent of the respondents’ security teams were “fully responsible” for privacy and regulations, with the most frequent answer being that security is “mostly responsible” at 34 percent.
This contrasts with 2012, when responsibility for privacy and regulation appeared to be shifting towards a dedicated privacy officer. The changes in 2013 may not necessarily be a beneficial change either, however, as privacy programs should first mature and security teams could get overloaded with the extra responsibility.
“With data security, people think of it as a technical thing,” said Shey. “But with privacy, there are a lot more cooks in the kitchen. Because of that, you’ll see a greater variation in the proportion of folks.”
Shey went on to give examples of other involved parties, including those in a company’s legal department, given the risk in compliance. There are also, as previously mentioned, dedicated privacy groups and privacy functions at a company, but this may not always be the case.
“A lot organizations haven’t invested in a dedicated privacy group or function,” said Shey. “So instead there are often IT teams with legal or risk and compliance groups that have more privacy responsibility. It’s an extra role on top of security.”
That said, security and privacy go hand in hand. Privacy is more the regulatory side of things, while security is the enforcer side of it; security ensures that the measures that are in place are actually supporting the privacy initiatives and policies. Shey points out that while it’s good to see that companies are caring more about privacy, they may realize going forward that they should have a dedicated group.”
“It shouldn’t be an add-on on top of what a security group is already doing,” Shey said. “The security group should be involved, but they don’t need to be the ones leading privacy efforts.”
Acknolwedgment to Daniel Solove.
The theme of the above article is consistent with the Zdnet piece, People the weakest link in security: Aussie IT professionals, which provides:
Whether it’s resisting change from necessary security measures, not understanding the risk to a business, or being a rogue employee who circumvents corporate security completely, people are at the centre of security failures or compromises.
In a ZDNet Australia panel discussion held on Thursday, September 5, in Sydney, five high-ranking IT officers discussed what their greatest fears for their organisations were, and whether the businesses even know what their risk profiles are.
ZDNet heard from the top IT minds from the Federal Treasury, Transport for NSW, Harbour City Ferries, and Deloitte Touche Tohmatsu.
A disconnect between IT and decision makers
Deloitte’s national lead partner for security Tommy Viljoen said there is a significant disconnect between what IT decision makers such as the executive board see as acceptable, and the IT managers or operatives that are responsible for the actual exposure of risk.
“The business sets the risk appetite of the organisation, and therefore they should understand where the level risk has been set from a security perspective. A lot of organisations we go into, there’s a disconnect between what the business thinks they’ve got, and what IT has been delivering,” Viljoen said.
Transport for NSW is in the minority, using its previous experiences to present a case to decision makers for what could happen in the event that hackers infiltrate their networks and force an outage.
At the moment, no outages on the transportation network have been as a result of an online attack, but its general manager for security and risk Ajoy Ghosh is now able to quantify to the business how much one would cost. His cost estimates are accurate enough that Transport for NSW is now able to predict the economic cost to the state if, for example, a two-hour outage on the Sydney Trains network were to occur.
While Ghosh appears to be far ahead of others who are still stuck trying to justify the financial costs of implementing and maintaining their security systems, he said this isn’t the only challenge that he and others face.
“What [decision makers] don’t have a clear idea of are the different IT security events that would cause those impacts.
“What I find myself doing is having to educate the decision makers, firstly about those impacts, and secondly about the dependencies of the different IT systems.”
Treasury CIO Peter Alexander had a similar former story of the disconnect occurring within the organisation, but with middle management being unaware that their risk profile was much larger than they believed.
“Our biggest disconnect was our executive and our mid-level managers. Our executive would say that I have this particular bit of content that I know six people across the whole of Treasury have access to … and, of course, it would [actually] be 40.”
Part of the problem, he said, is that organisations are encouraged to collaborate and share information. While he’s an advocate for such behaviour, Alexander said that it often results in heads being butted.
Contributing to his solution of this problem has been education, and who best to learn from in Australia but the top spooks themselves from the Australian Signals Directorate (ASD), formerly known as the Defence Signals Directorate?
“They come and brief our secretary’s boards, and scare the pants off them,” he said.
“They would get your laptop and they would go, ‘This is how we break into a laptop,’ and 30 seconds later, they’re starting to get content off it even if it was encrypted.”
As for briefing decision makers, the frequency of these sessions varied depending on the industry. Ex- IT directorate program manager at the Department of Education and Communities, Youssef Moussa said that these discussions should typically happen weekly, but when previously working in the financial services industry, meetings on information security and risk would happen almost daily.
Implementing security measures
The Treasury is one of the few organisations that have not only implemented the ASD’s mandatory top four mitigation strategies for security, but also the majority of the remaining recommended ones.
“Agencies freak out when you do it, because you go, ‘You’ve got to have application whitelisting, critical patching within two days, access controls, and things like that,'” Alexander said.
“But we bent our culture a bit and got people saying, ‘This works. This enables you to do your job better, more securely,’ and it works pretty well.”
Application whitelisting has been a boon for the Treasury, with Alexander saying that even if users fail on the education side and click on a link, the whitelist means that the malicious app would never launch, or if it is spawned from a drive-by website, it has already been blocked.
A lot of other departments and agencies are having difficulty complying with the now-mandatory requirement to implement the top four strategies, with Alexander saying they either attempt to sign waivers to the effect of accepting the risks or ask for more time. However, he said it isn’t as painful as it seems.
“We turned on BitLocker in the background, let it run for three months to see what it would break, and went, ‘It breaks this, it breaks that, now let’s turn it live and see what else it breaks,’ and it didn’t break that much.”
Biggest security concerns
The Treasury has a significantly higher standard for information security. Defence’s cyber and information security division deputy director Stephen Day said earlier this year that any business connected to the internet and involved in the defence industry is a target for state-sponsored cyber espionage.
This leads to concerns over advanced persistent threats (APTs), rather than the brute-force attacks. Alexander said that the latter sort of attacks have become so routine that it no longer makes sense to report them, instead only raising the flag when something truly significant like an APT hits the radar.
Moussa agreed, stating that it’s really the new APTs that break through the spearphishing attacks, but believes that his organisation sees cloud-based technologies as a pressing issue, given that student records need to be tightly controlled.
“Opening up new areas where your data is no longer under your control, to actually move data out of your organisation, that’s one of the biggest areas of concerns,” he said.
“It’s not just lack of control, it’s the ability for others external to the department [to access] confidential records of students.”
For Harbour City Ferries’ IT manager Adam O’Halloran, however, the biggest problem to security is simple.
“That’s easy. It’s people.”
While most people would pick a technological issue, O’Halloran said it is really the other two aspects to the trifecta: Process and people.
His example was the creation of a new account for a marketing person, which was given the password of “password1”. Shortly after, it was hijacked and used by scammers to spam unsuspecting victims.
Furthermore, he said that despite the technology that is implemented, it could always be circumvented.
“It’s the person’s perception of what is necessary [for security] and if they think it’s unnecessary, they’ll work around it.”
Alexander is of the same opinion.
“It’s people without a doubt,” he said. “It’s the fact that our staff can come in and we can do all these things to lock down our network and build in controls around documents, but we can’t stop them taking a photo of it on their phone unless we don’t let them bring phones into the building, and we’re not a national security organisation, so we don’t do that.”
He said that people have been the weakest link, regardless of the advances in technology. He pointed to the past, where in a world prior to camera-equipped phones, people would photocopy documents and take them out with them anyway.
“We’re a scarred organisation, because we did have a guy a few years ago that did leak a whole bunch of information to the opposition. It’s people. You can’t trust them completely. You can trust them mostly.”