“Your mission, Jim, should you decide to accept it, is…. As usual, should you or any member of your I.M. Force be captured or killed, the secretary will disavow any knowledge of your existence. This tape will self-destruct in five seconds. Good luck, Jim.”
It may have seemed overly dramatic at the time, but those of us responsible for protecting corporate data against outside and inside threats can well relate to this tense opening scene from the original Mission Impossible television series and popular movie sequels.
Our mission is less choreographed, and unfortunately, our sensitive data doesn’t just vanish into smoke before it falls into the wrong hands. Instead, we’re responsible and empowered to actively secure our information assets.
We have evolved into a fast-paced, datacentric society where storage is relatively inexpensive and data related to virtually every action is stored and shared. We invest valuable resources and trillions of dollars to build infrastructures and systems optimized to house our data. We construct dashboards and reporting systems to comprehend the factors that drive our business successes and failures, increase revenue, and boost margins and quality. Myriads of modeling products and tools provide data analytics that guide our critical business decisions. Comprehensive supply-chain data delivers insight into vital customer information, advancing and solidifying our partnerships.
The momentum and magnitude of data growth is exponential and promises tremendous opportunity. Data intended to promote core business activities and quality-improvement programs is now reusable and extendable into new, innovative products and applications. Deep learning, machine learning and natural-language processing all take advantage of these large data volumes, structured and unstructured, to deliver value and facilitate automated analytics and processes with consistent, reliable and high-quality results.
The benefits in the proliferation of data are obvious, but so are the inherent risks. We are accumulating data at a rapid rate, quickly outpacing our ability to effectively govern and protect it. Consequently, the misuse of sensitive data continues to propagate almost unchecked, crossing all geographic and industry boundaries.
Our commitment to safeguarding our corporate resources has led to a billion-dollar cybersecurity industry, which until recently catered mainly to outsider threats while often ignoring the equally significant peril of insider threats. As the dangers of insider threats are amplified by frequent data compromises, however, corporations are now converging their focus on both.
What Are Insider Threats and Whose Problem Are They?
As defined by the Department of Homeland Security, “An insider threat can be defined as the potential damage to the interests of an organization by a person or persons regarded, inaccurately, as loyally working for or on behalf of the organization, or who inadvertently commits security breaches.”
The primary classifications of persons who pose an insider threat are the following:
- Insiders who may maliciously, for financial, political or other reasons, misuse assets
- Insiders who inadvertently or negligently misuse assets
- Outsiders who mimic insider credentials to access and misuse assets
Insider threats aren’t exclusively a technology problem. They cross all boundaries of an organization and require the engagement of all colleagues to fully grasp their diverse nature and combat them effectively. Defending against insider threats demands the following:
- Full senior-management engagement to escalate its priority and eliminate roadblocks
- A skilled and focused insider-security team comprising business and technology resources to coordinate execution
- A multifaceted plan to define the tasks necessary to identify and defend each corporate asset
Equally critical is a protocol for ongoing compliance monitoring and periodic review of your roadmap as the organization, information needs and insider threats evolve.
Defending Against Insider Threats
No two firms handle their data in exactly the same way, and data policies should be tailored to accommodate each one’s cultural and business needs. Nevertheless, taking advantage of proven approaches and products to integrate security into your daily practices can significantly reduce your exposure. Examples of accepted risk mitigation strategies include the following:
- State-of-the-art infrastructure security including intrusion detection, data-loss prevention, advance-threat firewall and secure-email products, many of which employ machine-learning and temporal-reasoning algorithms to monitor for abnormal behavior
- Group policies that revoke and block access from malicious parties
- Document-rights management to validate continued access to distributed content, internally and externally
- Corporate best practices that reveal potentially malicious insiders before they act, including pre-hire and periodic background checks
- Training to sensitize all colleagues to insider threats and educate them to detect and appropriately report unusual behavior, phishing emails and potentially infected emails
These strategies still only concentrate on part of the overall picture. We must expand beyond restricting unauthorized access to include comprehensive management of all data access. As noted in Forrester’s “Model for Establishing an Insider Threat Team” (July 2016), “unintentional misuses of data make up 56% of data breaches attributed to insiders.”
A large percentage of insider threats are attributable to inadvertent misuse of assets, facilitated by flaws in corporate control. They can range from a person accidentally emailing a sensitive document to the wrong party to someone innocently viewing a data source with sensitive, personal information. Yet both stem from the same cause: access to data, authorized or unauthorized.
Where Does Data Management Fit In?
How can we strategically restrict misuse of data and prevent the numerous insider data breaches? Herein lies the missing puzzle piece and, potentially, our biggest challenge: the role of data management.
Data management, as defined by the DAMA Data Management Body of Knowledge, “is the development, execution and supervision of plans, policies, programs and practices that control, protect, deliver and enhance the value of data and information assets.” Tightly coupled with data management is the “principle of least privilege,” which prescribes that access to assets be granted on the basis of job function and be limited to the minimum information and timeframe necessary to perform that function.
Although it’s no magic bullet, merging data management and the principle of least privilege gives us a powerful option for data control. The fundamental task is being aware of the existence of your data, its sources, security classification, function, and current and preferred format. This information provides the foundation to create impregnable barriers by correlating job function to data at a granular level and eliminating all other data access.
Implementing data management and access control begins with a cohesive, robust framework, designed by a cross-team of knowledgeable business and technology resources and customized to consider the unique nuances of your corporate assets. Below is the roadmap to initiate the iterative journey of securing your content:
- Inventory your data across all databases and documents. What data do you own? What format(s) do you use to store your data? Where do you house your data? What data do you access from external sources?
- Explore your data and gain a complete understanding of its purpose and potential. What’s the purpose(s) of the data, by context? What’s the meaning(s) of the data, by context?
What business functions, systems and/or job functions create, update, delete, view or share the data? What data is exchanged with external parties?
- Determine the correct strategic format for your data, emphasizing the reusability, extendibility and data granularity most conducive to the administration of security policies (e.g., XML). Is the data in a format conducive to reconciliation and consistency validation across disparate sources? Is it in a viable format that portrays meaning, context and data relationship? Evaluate detail data and summary data independently, as they are not the same, regardless of whether they originate from a common source.
- Assess the best location for your data. Is your data stored in multiple locations? Should it be? Is the data queried live from multiple federated sources or is it centralized and harmonized in a data lake or data hub to reduce your dependency on the source system?
- Classify your data by relevant risk factors including personal information, intellectual property and client-sensitive data. Be as explicit as possible. Data may be classified as sensitive owing its inherent or contextual nature. Detail information may be more sensitive than summary, and vice versa—for example, summary department salary information versus individual salary information.
- Map your data classifications to job functions, including time span. Assess and document all job functions. Prepare a data map correlating job function to data attribute, including timeframe. Remember the basic principle: access to data is a responsibility, not a privilege. Effective training that conveys this message will encourage colleagues and third parties to become active, vocal partners when granted access to data they don’t need— and, therefore, don’t want.
- Stipulate and implement security and compliance best practices to administer access to the data. Strive for simplicity. Complex access policies are error prone and increase your risk. To streamline access administration and minimize errors, assign job functions to data and individuals to job functions.
Battling insider threats is an expanding corporate priority that must encompass all aspects of an organization to be successful. Understanding, classifying and administering your information resources are critical ways to guard this valuable asset. Given the potential cost of getting it wrong, don’t embark on this road alone. Engage experts familiar with data management and insider security to guide you as you achieve effective data management and strategically secure your data.
Challenging? Definitely. Mission Impossible? Definitely not.
About the Author
Tammy Bilitzky is Chief Information Officer of Data Conversion Laboratory (DCL). Serving with DCL since 2013, Tammy is responsible for managing the company’s technology department; continuing its focus on resilient, high-quality, and innovative products; and helping to expand the business. She has extensive experience in using technology to deliver client value, supporting business-process transformation and managing complex, large-scale programs on and off shore. She holds a BS in computer science and business administration from Northeastern Illinois University and is a Project Management Professional, Six Sigma Green Belt, and Certified ScrumMaster.