How the CTO Uses Data to Fight Against Inside Attackers?Anirban Banerjee
In the InfoSec industry, CTOs have witnessed many inside jobs also known as insider threats. These threats usually comprise of individuals or groups of people in organizations or companies. These individuals may include employees, contractors, business associates or partners. They try to deliberately contribute to or begin to breach the network of the company to sabotage or steal information. Because these people are already inside the company, they have the advantage of being familiar with how the network works in the company, having login credentials, having ways to keep their position in the company without getting caught and being able to access information about clients. These insider threats have caused many organizations, both competitive losses and financial losses.
Insider attacks are most times not just a one-time thing, they happen frequently and while most may cause losses to the company, some target the customers too. While many organizations spend billions of dollars protecting themselves from external data breaches, not very many consider the effects of attacks because of disgruntled employees or careless employees who leave their unlocked phones in a cab. Attacks from employees who already have access to information are deadly to the organization and any customers they have. The assumption that those who are granted access to company data are trustworthy and will not go against the company have caused most companies a lot and brought insider threats to the forefront over the past few years. What can companies do to prevent internal data breaches?
Categorize data to fight insider attacks
While it is difficult and mostly impossible to protect everything, it is still possible for companies to come up with ways to shield themselves and their customers from the risks that come from internal data breaches. Categorizing data are among the most effective steps of fighting against insider threats. Data categorization makes it such that access to the most sensitive data in the company is limited to only a few people. This initial gatekeeping skill will allow organizations to fight against attacks and insider threats.
Data can be divided into three categories:
- Data which is not sensitive
- Data that will have negative effect on the organization if it is leaked
- Data when leaked can kill your business
How sensitive data have varied from one company to another, so categorizing data into these subgroups can still be a huge challenge. Data that could kill one business would not necessarily cause any loss to another. To categorize data, an organization’s Chief Technology Officer would have to have a keen eye. They would also need to team up with another executive officer’s in the company to determine what data is more sensitive than another is.
After data has been categorized, the security clearance of accessing each data category will need to be more intense than that in the previous level. For example, to access information about what the company does, its motto, who its founders are and where it is located would simply need an employee to log in to the company’s website. This is not sensitive information and leaking it to the public will not cost the company anything. It is information that all employees can have access to.
Information such as the names of clients and secret ingredients used by the company in its manufacturing process, for example, requires higher clearance because if competitors were to have access to this information, they would outdo the company and get most of its clients. This will cause damage to the company. Such information could be restricted to only a few people so that it becomes easier to track who accessed what information last.
Trace all steps and processes
Organizations should trace all processes and steps within itself that view, collect and manipulate data that is confidential and personal in nature. Organizations should make sure that this information is encrypted especially at its source. This will enable the organization to know that only those people with clearance will be able to access the information. It will be such that people who are not allowed to access the information will not be able to understand it even if they somehow got the password of someone who has the clearance to access the information. The keys to decrypt encrypted data should not be stored in the same place as the data so that unauthorized parties do not have the resources to access the data.
Tracing the activities of all the accounts of the people who do have clearance to access the information will allow the organization to know people who accessed information more times than it was necessary or during hours that were not work hours. Being able t trace will give the organization the right to question activities they find suspicious from the accounts of those authorized to access the information. This way they will be able to find people who are trying to misuse information the organization has and the trust they have been given to protect the organization and its clients from data breaches that could be costly or fatal.
Logs must be audited
Organizations must audit all the logs to sensitive data, preferably weekly so that they can catch people who just cannot resist misusing data from the company. Waiting too long to audit will cost the company a lot if the data will already have been sold or leaked to the public by the time they decide to audit. A period of one week or less is best to ensure that all data inconsistencies are noted. Preferable the data should be audited by detection systems automatically. These systems should look for unexplained patterns and inappropriate usage.
The systems should also be checked for vulnerabilities and malware. Ensuring the systems check automatically will ensure that the malicious employees who want to leak data do not have a way to hide their activities and keep the company from knowing that they have been leaking sensitive information. It has been noted that most employees will hand in their resignation about 30 days after they have leaked any type of information.