How to stop insider threats

Research firm reveals steps to keep your confidential data within the confines of your building

1 intro insider threat

Watch what leaves the office

Employee turnover is common, as is the practice of employees taking sensitive and confidential data with them when they leave, particularly data that they were involved in generating. This creates a significant risk for employers whose data was misappropriated, resulting in potential data breaches that can trigger regulatory actions or legal actions, as well as a variety of other consequences. Most employers are not adequately prepared to deal with the aftermath of employee data theft and many do not take the steps necessary to mitigate these risks before they occur.

However, there are a number of things that decision makers can do to protect their companies and minimize, if not eliminate, the threat of employee theft of sensitive and confidential information.

Osterman Research created a White Paper, sponsored by Archive360, which looks at ways to thwart that insider presence.

2 encryption


In organizations that have not fully embraced or deployed encryption, perhaps the place to begin the process is by targeting the areas that are most obviously in need of protecting sensitive or confidential content: sensitive data assets and the devices that are used to access them. Decision makers should identify privileged communications, as well as content that could greatly harm the company’s standing with business partners and other key constituencies if it was exfiltrated by departing employees. This includes files that contain clearly sensitive documents like financial projections, draft policy statements, bids, tenders, acquisition information, employee medical records, partner information or customer financial information. This content typically represents the vast majority of the risk in most companies and is relatively easy to protect using robust encryption technologies.

3 mdm

Mobile device management

Mobile Device Management (MDM) technology can protect corporate data on mobile devices by allowing an administrator to monitor content on corporate and personally owned devices, containerize corporate data on personally owned devices, and remotely wipe this data quickly. While it’s possible for an employee to exfiltrate data from mobile devices before they have announced their departure, MDM solutions ensure that employees will not have access to corporate data on mobile devices after their access is supposed to end.

4 monitoring

Employee activity and content monitoring

Another important technology to help prevent employee exfiltration of data are solutions focused on monitoring employee activity and how content is accessed. There are varying levels of features and functions for the variety of monitoring tools currently available, but capabilities enabled include monitoring all email and webmail traffic, tracking the web sites that employees visit, capturing all of their instant messages and social media posts, logging the files they have accessed, taking periodic screenshots, and even keystroke logging in some cases. While these types of tools carry with them a bit of a “creepiness” or “Big Brother” factor, they are useful in two ways: first, by allowing IT to understand just about everything an employee is doing; and second, by inhibiting inappropriate behavior because employees know their activities are being tracked.

RELATED: Review: Hot new tools to fight insider threats

5 data loss

Implement dlp and/or file analytics technology

Another useful set of capabilities to protect corporate data are Data Loss Prevention (DLP) and file analytics tools. DLP tools monitor content and can carry out a variety of actions based on pre-determined policies. For example, if an employee attempts to download sensitive or confidential information to which he or she would not normally have access, or if an employee downloads a large amount of information, the request can be sent to a compliance officer for approval.

File analytics technology allows administrators and others to search through unstructured data that can be stored just about anywhere across an enterprise, analyze the content of this information, apply supervisory rules, and retrieve information as needed. File analytics tools can scale massively to allow search, analysis and retrieval of enormous volumes of information.

6 offloading

Solutions that will prevent offloading of data

Another useful technology that can reduce the likelihood of employees exfiltrating data upon or before their departure is the ability to prevent the copying of data onto physical media, such as CD-ROMs, DVD-ROMs or USB drives. Depending on the technology, these can be controlled by policy so that employees with a legitimate need for these capabilities can perform these functions, but all others will not be able to do so.

insider threats

Centralized logging and reporting

Another important capability is centralized logging and reporting of employee activity so that administrators know which files are being accessed, who is accessing them, when they were accessed, the devices on which they were stored, etc. Centralized logging and reporting not only allows investigators to conduct forensic analysis to track where files were copied and by whom, but employee knowledge of these capabilities might inhibit inappropriate behavior by departing employees.

insider threats

Replace BYO solutions with it-managed ones

BYO is a fact of life in most organizations and IT has accepted/embraced/acquiesced to the idea that employees are using their own devices, applications and tools to access and process corporate data. Employees are now in charge of many of the tools they use on a daily basis, and in primary control of the data that is processed by these tools. That creates problems for an organization in the context of compliance, legal considerations, and best practices around protecting and managing data.

IT departments should determine the BYO tools that employees are using, establish why employees use these tools instead of IT-managed capabilities, and then offer alternatives that will put IT back in charge of the data management process. The key is to provide a tool that is just as easy to use as the personally managed tools that employers are seeking to replace and with an interface that users will want to employ, but that allows IT to be in control of where data is stored.

9 account activities

Account activities

  • Disable all accounts to which the employee has access. A 2015 SailPoint survey found that 66 percent of employees had access to corporate data that they had uploaded to a cloud storage application like Dropbox after they left.
  • Disable access to the company network.
  • Disable access to the Active Directory user account or equivalent.
  • Change passwords for all applications, cloud-based storage, etc.
  • Take the employee’s security pass.
  • Remove employee from all distribution lists.
  • Redirect employee communication (e.g., email) to an appropriate individual.
  • Delete the employee’s voicemail account and/or change the voicemail password.
  • Ensure that when an employee leaves the organization, his or her email is forwarded to someone else, such as the departed employee’s manager or replacement.
10 backup archiving

Backup, archiving and content management functionality

  • Reduce storage cost using low-cost, cloud-based, ‘cool’ storage (storage designed for the retention of data that is rarely accessed).
  • Deploy backup and recovery solutions that are designed for rapid restoration of files if employees delete or corrupt files.
  • Keep compute charges low with on-demand indexing and search.
  • Implement automated retention and disposition policy management capabilities.
  • Implement ECM capabilities that will provide users with the ability to access and make changes to existing documents, but that will do so under the control of corporate policies focused on appropriate roles and permissions and that will provide a thorough record of all file transactions. This includes activities by mobile users, users of enterprise file sync and share systems, and all other corporate solutions.
  • Implement a permanent locking feature for SEC compliance.
11 management

Management activities

  • Provide good training for managers so that they can be aware of best practices for managing employees, recognizing problems before they occur, dealing with departing employees, and handling exits professionally.
  • Providing good training for employees so that they are aware of best practices for protecting data, using company-approved tools, and maintaining adherence to company policies.
  • • Implement the appropriate solutions that will allow HR, senior executives, legal and other relevant parties to monitor managers’ behavior so that they can identify managers who need additional training on how to deal with employees in a professional manner.

RELATED: How to eliminate insider threats

Copyright © 2017 IDG Communications, Inc.

Related Slideshows