Mere ‘Compliance’ is Not Enough to Protect Yourself from Data Theft and the Insider Threat

Once upon a time, most information and assets were physical.

This is, of course, no longer the case.

And crime has evolved in tandem, meaning fraud and other nefarious activity can now be perpetrated in previously unimaginable ways thanks to technology. Unfortunately, all too many organisations have found themselves on the back-foot, lacking the proper precautions to prepare for the information security battle in which they find themselves embroiled.

Nowadays, everyone is fighting for access to detailed personal information (names, addresses, IDs, passwords, medical information and more) as well as critical IP (intellectual property), the ‘secret sauce’ for many of today’s organisations.

We hear more about losses of personal information, but organisations also need to think hard about protecting their organisation’s IP – a key focus for nation state and terrorist-driven hacking.

Aside from protecting customers and employees, organisations must remember that IP is not only vital to retaining brand credibility, but also to keep an organisation running smoothly. Most organisations have specific compliance requirements to adhere to – such as PCI DSS, data residency, data privacy, etc – but meeting compliance standards alone is not enough to protect IP.

Not even close.

Compliance is about satisfying regulators, and isn’t necessarily designed for protecting critical IP and data. System vulnerabilities and threats must therefore be approached as a priority beyond the minimal protection that results from meeting compliance standards.

Privileged users

The data security community remains fixated on cyber-crime perpetrated by hackers, and rightly so, but it must be acknowledged that fraudulent activity by a company’s ‘trusted insiders’ is becoming increasingly difficult to detect and prevent. This is particularly the case when it comes to an organisation’s ‘privileged users’.

It has been nearly two years since the Snowden revelations and yet the question of whether a business’s privileged users – ie those employees or contractors with titles like ‘system’, ‘hypervisor’, ‘storage’ or ‘IT’ administrators or ‘Root’ users – are at risk (as a result of targeting by outside attackers), or whether they are the risk themselves, remains extremely difficult for many businesses to answer with any certainty.

Fortunately, it’s not all bad news – awareness of the risk seems to be growing. According to the recent ‘Insider Threat report’, compiled by Ovum and Harris Poll, 54% of German and UK businesses believe that pivileged users are now the greatest risk to data security and regulatory compliance.

It’s important to always bear in mind that data is only valuable if it is accessible. As such, given the broad and extensive reach these accounts have, simply by nature of necessity, they can no longer be left unchecked.

There should be a strong separation of duties between privileged users and the data itself. Of course, all insiders with legitimate access must be watched and any unauthorised access attempts acted upon immediately.

Equally, watching out for changes in the amount and type of data being accessed by individual users at any given time can be essential to spotting an insider turned rogue or if their credentials have been hijacked by cyber-criminals – this is especially the case when it comes to Advanced Persistent Threats (APTs).

Looking to solutions that encrypt files and control access, regardless of where they reside, while leaving metadata in the clear, means that these users can perform their essential system administration tasks without being able to gain access to the sensitive data residing on the systems they manage. Then, only those who actually need to see the data represent a risk and can be monitored thereafter.

Ultimately, when it comes to protecting an organisations critical data and IP, the industries that are not in need of protection are few and far between. Think about it: the plans, formulas, specifications, source code and methods used by leading manufacturers worldwide are a prime target for national and competitive adversaries worldwide.

Equally, citizen information, whether at government, defence and state infrastructure level – running the gamut from local tax rolls, healthcare data to police records – can be worth a fortune on the black market if it falls into the wrong hands. Of course, financial service organisations have long been in the eye of the storm – bank account information, balances and insurance information is the sort of data hackers can only dream about.

Interestingly, 2014 flung the retailing and entertainment industries into the spotlight; the Target and Sony data breaches were watershed moments in their own right.

In today’s world, data security for compliance, IP protection and securing critical business and customer data should be treated as a ‘business as usual’ process. Training staff and embedding a security-aware culture throughout the organisation is important, but only through technology can companies be sure that their most sensitive data is safe from those inside and outside the fence.