Government agencies are collecting more data than ever before. With the increasing amount of data that agencies store, manage and collect, agencies must create robust strategies to protect data from being compromised. Recently, I spoke with John Barrett, Senior Manager Systems Engineering for Public Sector, Symantec on how agencies can minimize insider threats and keep organizational information safe. Barrett said, “The insider threat typically isn’t always obvious.” There are many different kinds of insider threats, and not all are malicious. Different actors that may be responsible for data loss include:
- Well-meaning employees: These are employees doing their daily work, and unaware that their actions are risking the agencies security posture. “People forget that everyday employees may innocently be sending data to email accounts, or home computers, which is putting the company at risk,” said Barrett.
- Disgruntled employees: These are employees who are upset at the organization, have access to data, and are potentially a threat.
- Targeted Attacks: Data loss may come from organized crime, nations or advanced persistent threats, all of which are attempts to gain unauthorized access to information.
Although organizations are constantly at risk of being attacked, Barrett commented that often the actual database where data is stored is not what poses the most risk. Databases usually have adequate protections like access control and encryption; most of the data loss comes when people extract data out of the database in the course of their daily work, and then place data into unsecure locations. Examples of this could be placing sensitive data into a spreadsheet, and then sharing on a public cloud, placing data in different files or emailing a copy of a spreadsheet. These actions take data that was once securely stored, and place it at risk of being compromised. In order to avoid these threats, Barrett recommends six best practices to mitigate data loss from insider threats:
1 – Improve Hiring Practices
Barrett advises that protecting data starts with making smart hiring decisions, and being sure to do background checks and have a thorough hiring process. “The weakest link in protecting your information is always going to be the people who manipulate your data and work with your data, so improving your hiring practices is always a good idea,” said Barrett.
2 – Create a Strong Non-Disclosure Agreement (NDA)
A non-disclosure agreement (NDA) creates a contract between entities that outlines how data and confidential information can be used, and places restrictions for information sharing. “Having a strong NDA as part of your program is also a very positive thing, so that employees know the value of that data and what is expected of them,” said Barrett.
3 – Improve Security Awareness Training
Having a strong NDA is important, but employees must be aware of how they are accessing and using data. “You want to make sure employees understand the importance of protecting the data they have access to and ensuring the integrity of your assets and data,” said Barrett.
And with so many agencies moving to telework, security awareness training is more important than ever, as employees must understand the security risks of accessing data from remote locations versus working within the office.
4 – Baseline Your Environment
It is impossible to know what data is at risk if you don’t have an understanding of what data you have, and where it is stored. Agencies should baseline their data environment to understand the kinds of data the agency currently holds. This includes exploring where data is stored, monitoring data-in-transit, and knowing how users access and leverage organizational data at endpoints.
5 – Establish a Data Lifecycle Program
An important step to mitigating data loss is to maintain a data lifecycle program. This will help agencies remain compliant with mandates in a complex regulatory environment. For instance, agencies may need to store and maintain certain data for seven years, other data for twelve years. In either case, organizations that have a data lifecycle program understand the relationships in their data and thus can implement and maintain compliancy in an ever-changing regulatory environment.
6 – Implement Monitoring Technology
Implementing data monitoring technology like data loss prevention is extremely important, because it will help you do the critical base lining to understand where data is, where it is going, and how people are utilizing data in their environment. A data loss prevention program helps organizations protect their information against loss and theft, comply with government mandates, maintains the integrity of data and lowers the risk of loss over time.
Data Loss Prevention can be used in conjunction with other data monitoring and protection technologies like Digital Rights Management (DRM). With DRM, agencies can set a DRM policy to encrypt sensitive data that DLP finds, and only the people who are granted authority to that data will retain access. “Another benefit of using DRM technology is when you supply confidential data to individuals outside your agency,” Barrett stated. “Typically once you have transferred that data outside the organization you don’t know what they are going to doing with it, but with digital rights management, you can protect that data once it leaves the confines of your organization. For instance, your DRM policy can state that a document expires after a week, to ensure you are sharing data for the business purpose, but you are also controlling it by making sure it does not live on in an unsecure environment.
Sensitive data in an open file share is a data breach waiting to happen. Knowing where data is stored gives agencies the ability to be proactive about their data. Proactive actions include applying encryption to sensitive data and identifying and reducing access to open file shares only to those who have a business need to work on that data. Protecting information is critical to the success of organizations, and by starting with these six steps, agencies can be put on a path to securing and protecting information.