Why unintentional insider data leaks are still a problem for businesses [Q&A]
Whilst threats to data are often seen as being down to external actors, it's often the case that leaks, both intentional and otherwise, can come from insiders.
Unintentional or accidental leaks remain a major problem, and one that’s been made worse thanks to more home working. We spoke to Rajan Koo, SVP, engineering and cyber intelligence at DTEX Systems to learn more about this type of threat and how businesses can address it.
BN: What are some of the most common sources of accidental or unintended insider data leaks?
RK: The most common sources of unintended insider data leaks stem from the usual suspects -- such as data being accidentally leaked via unencrypted USB devices or insecure backups.
An emerging culprit that we've seen increase over the past year is publicly accessible documents. In the work from home era, convenience is king, leading to employees increasingly using things like Dropbox and Google Docs to share information and collaborate. The issue with leveraging these services is that personal accounts are often used and there is no authentication mechanism in place. So, if a bad actor knows where to look, they will be able to access the information being shared.
Another accidental source of insider data leaks to keep an eye on is video call screenshots. During a video meeting, a host or presenter often shares their screen to walk through sensitive company information. We have seen an increase in harmless screenshots being taken and filed for later reference/use. This is not a best practice from a security standpoint -- all sensitive information should only be stored in the original, intended documents to shrink the digital footprint of sensitive info.
BN: Why are unintentional insider leaks still such a risk in today's enterprise environment?
RK: Unintentional insiders are a greater risk than they were 12 months ago and ultimately contribute greater risk than malicious insiders do. Intentional malicious insiders are rarer than headline news articles would have you think though. In fact, many of the cyber breaches we hear about can be attributed to benign or negligent insiders, where proper security checks and balances aren't in place or simply were not followed.
The risk of unintentional insiders has exploded during the work from home era, as there has been an increased blend of personal and corporate lives. Employees are increasingly using their corporate devices and cloud applications for personal reasons.
For example, DTEX's Insider Threat team has observed a significant uptick in data loss via personal email and drive-by downloads -- where an employee downloads a file (such as a movie) that has malware or some other malicious code embedded within it. From there, the attacker is able to move laterally for further compromise (e.g. a ransomware attack).
BN: How has remote work increased insider threats?
RK: Remote work has increased the threat that insiders pose exponentially, as the blending of work and life has blurred lines. Most folks now use their corporate device for personal reasons, like online shopping, kids homework, general web browsing and have even extended to highly personal browsing and download behaviors.
Over the past year, DTEX's data has found significant increases in common risks that insiders pose, maliciously intended or not. For example, since the sudden shift to remote work back in March, we have seen a 78 percent increase in accidental data loss, a 60 percent increase in malware infections, and a 67 percent increase in intentional data theft. As hybrid work models become the new normal, I expect these same risks to remain prevalent.
BN: How have data leak technologies evolved over the years and what should IT/security leaders consider when looking at these technologies?
RK: They have evolved, but not enough. The industry is starting to introduce true behavior-based context to help security teams prioritize what’s important, but the technologies have been far too focused on exfiltration. This has led to a huge management overhead and resource requirements. Many businesses invest in cost-heavy products, but don't have the manpower to operate them effectively due to the copious number of false positives/noise they generate.
When evaluating technologies, CISOs and practitioners should identify solutions that look beyond exfiltration monitoring and go the step further of flagging indicators of intent to properly identify malicious activity early on in the kill chain. Technologies that can achieve this consistently produce significantly less alerts that are coupled with the context needed to identify insider threats and take decisive action. This empowers analysts to focus on mitigating the threat at hand, rather than trying to make sense of the event.
BN: How effective are security training initiatives at preventing insider threats?
RK: The effectiveness really depends on the delivery. For example, if a company is potentially leaking data through public-facing documents via Google Docs or Dropbox, they may react by sending a companywide email saying that folks should not use services like this for security reasons. However, oftentimes employees will follow those directions for a few weeks, then ultimately revert back to their regular workflows.
The most effective security training approaches are those that capitalize on 'teachable moments' as insecure practices happen, targeting the people that need the training the most. With the right technologies in place, you can orchestrate targeted training notifications for individuals using certain insecure services that there are alternatives considered best practices -- such as using OneDrive to share documents instead of Google Docs.