Protecting Your Crown Jewels
Building stronger security from the inside out BOy Aarij Khan
nce upon a time, it was be- lieved that all you needed to do was build a strong perim- eter around your infrastruc- ture in order to secure your
organization. However, while 73 percent of breaches are caused by external actors, 28 percent of breaches involve internal actors, according to the Verizon 2018 Data Breach Investigations Report.
By their nature, insiders are already inside your perimeter, so the perimeter security ap- proach is not effective. In response, modern security practices have shifted away from this outdated technique. Now, the focus is pro- tecting the “crown jewels”—your intellectual property—wherever they happen to reside.
There are three basic types of insider threats: the unintentional insider, the inten- tional insider and the external actor mas- querading as an insider.
Unintentional insider. This is an indi- vidual with legitimate access who commits a security infraction that results in potential consequences for their organization. One ex- ample is the employee who is using shadow IT because it makes them more effective at their job. They don’t intend to cause a data breach, but the fact that they are operating without security oversight makes it more likely that sensitive data could be exposed even unintentionally.
Intentional insider. This person makes the conscious decision to abuse their access in order to obtain sensitive data for personal gain or purposeful malicious intent. One ex- ample is the employee who, before they leave to go to a new company, downloads valuable intellectual property or sensitive internal documents to take with them.
External actors. These people can appear to be insiders. They compromise a legitimate user’s account using social engineering, pass- word breaches, or even default passwords that haven’t been changed. They then can move through your environment as if they were a trusted employee.
One thing that all of these three types have in common: once inside, perimeter se- curity can do nothing to monitor or prevent their activity.
According to the Verizon report, the vast majority of breaches, almost 90 percent, are driven by financial gain or espionage. No matter what the motive behind a particular breach is, though, the target of the breach is overwhelmingly going to be your data. Whether it’s a stolen employee W2 used to
claim fraudulent IRS refunds, or stolen re- search that a competitor used to go to mar- ket ahead of you, it’s all about your data.
As the pace of business keeps moving fast- er, the amount of data generated by your or- ganization grows exponentially. In order to se- cure your sensitive assets from insider threats you need to know your data, set policies, train your employees, monitor access, and periodi- cally review and update your plans.
Know Your Data
Understand what data you have. You can’t protect it if you don’t know you even have it. While it may seem extremely obvious, some organizations still find it difficult to identify all the data assets they rely on. Between HR, finance, sales, accounting, executives, engi- neering, R&D, and more, it’s possible your company is collecting and generating more data than you currently know about.
Know where your data lives. There is no safety in obscurity when it comes to your data. If you can’t find it, you can’t protect it.
Classify tour data. Just as the crown jewels need more protection than a set of costume jewelry, some of your assets need more protection than others. Understand
how your company relies on different data assets and classify them not only according to compliance mandates, but also take into account the impact on your business if it was compromised.
Set Policies
Create data use policies. Now that you have classified your data, create policies around the use of that data. Who can access it? Why? How long are records retained? How can the data be used? Shared? These are just some of the questions you should consider when formulating your policies. Compliance mandates as well as business impact should inform your policy making.
Implement least privilege. Employees do not necessarily need authorized access to every network, database, and process. You need to understand that by limiting access to only what employees need to fulfill their work responsibilities you will ultimately reduce the chance of information spillover or leakage as a result of a security incident. However, responsibilities can change or- ganically through an employee’s career at a company. As such, you should build some flexibility into your policies. Create a pro-
66
0918 | SECURITY TODAY
ASSET PROTECTION
Elnur/Shutterstock.com