Organizations today know they must put cybersecurity measures in place, not only to protect intellectual property and the integrity of networks, systems, and other corporate assets, but also to comply with data privacy regulations and protect customer and employee information.
But all too often, security issues come from within the organization rather than externally. An insider threat can be defined as any person or activity that uses legitimate access to data or systems — that is, access granted by the organization — in a way that negatively affects the organization or puts security at risk.
Cybersecurity alone is not enough to combat the different types of insider threats. But cybersecurity overlayed with information governance enables organizations to meet information security requirements while countering the risks associated with insider threats.
2 types of insider threats: Who poses a risk?
By its very nature, an insider threat most often involves someone who has valid access to an organization’s data, systems, and applications, such as an employee or a vendor. Former employees and vendors who were not offboarded properly when they stopped working for the organization may also pose a threat.
In general, insider threats come from two types of users:
- Careless users — people who create entry points or mishandle data, due to lapses in security measures or judgment about data policies and practices
- Malicious users — people who have or had valid access to systems and use it to deliberately steal or misuse data
Careless users can become compromised and pose a threat by their clicking on a link in an email or otherwise granting entry to the network. Less dramatically, but perhaps more commonly, careless users may increase risk through simple mistakes such as bypassing a security step in the normal course of doing business.
A malicious user may be someone who is disgruntled and seeking revenge, or someone motivated by greed and seeking to steal information for monetary gain. Since these users are insiders, they may know how to cover their tracks, which can make detection a challenge.
Where does cybersecurity fail to prevent insider threats?
As you would expect, some types of insider threats arise from basic failures of traditional information security measures — for example, when users are unaware, not properly trained, or simply sloppy about secure data handling policies and practices.
And of course, the risk rises when an organization fails to enforce basic yet vital security measures, such as strong passwords, two-factor authentication, firewall protection, anti-virus/anti-malware, software updates, and data encryption.
However, even where an organization provides thorough training and implements the right security policies and procedures, insider threats can still pose a risk if the company lacks the proper operational controls for governing what information it has, how to share it, and where to store it.
How do these factors increase the risk of insider threats?
The type of information you have
Sometimes the issue is not who has access, but rather what type of information you have. For example, you may be storing a lot of data that should have been disposed of because it relates to former clients or former employees.
Keeping data you don’t need creates a bigger “attack surface,” raising the risk that data may be leaked, misused, or stolen. Additionally, over-retention of records may violate data privacy laws, putting your organization at risk of noncompliance, litigation, and audits.
Where and how you use information
Where and how you are using information can also increase the risk of insider threats. For instance, today’s enterprise solutions extend to many people, places, and processes. These include IT solutions such as enterprise systems and databases, as well as applications such as email, text, video, and voice recording.
Another risk factor is the growth of remote access to systems, applications, and data for use by work-from-home employees — a trend that exploded in response to COVID-19 restrictions and looks to continue post-pandemic.
The trend of moving data into external applications such as Software as a Service (SaaS), cloud infrastructure services, mobile networks, and social media also increases insider threat risks. Although the application or service provider may have its own cybersecurity measures in place, responsibility for identity and access decision-making about the data still rests with the organization.
Yet, organizations often fail to monitor and control who is accessing and using the cloud, SaaS, and other external applications from inside the organization (whether on site or remotely).
In addition, more organizations today are investing in data mining and data science, further expanding access and growing the volume of data that is collected. Maintaining operational controls, including how and where all that data is tracked and stored, as well as how it is used or disclosed, is increasingly difficult.
How does IG enhance cybersecurity?
Information governance supports and extends the protections of cybersecurity, to reduce risks associated with the different types of insider threats by:
- Supporting ID and access management — helping you understand what kind of data you have, where it is, and its purpose, to determine who needs access, who does not, and which data needs higher levels of cybersecurity
- Reducing the attack surface of data — allowing you to identify what information you can (and should) dispose of, to reduce the amount of data available for potential exfiltration (as well as becoming a smaller target for potential infiltration by outsiders)
- Extending governance to externalized data — helping you configure, manage, and secure access to data via outside applications such as cloud infrastructure services, SaaS, mobile apps, and work-from-home tools
For example, an IG program provides the structure for managing and maintaining data retention and disposal, to reduce the amount of data you’re storing. It also allows you to monitor external storage environments, as well as internal storage, for data privacy compliance.
And with cloud services, SaaS, and other environments that hold information outside your organization’s walls, putting good IG practices in place helps you meet your obligation to ensure the data is secure no matter where it is stored.
To talk about how information governance can help your organization improve security and reduce insider threats, please contact firstname.lastname@example.org.