Internal audits of company networks have shown one incident of insider data theft per 100 employees per month, according to the head of a security provider who believes the best protection from insider threats comes from having fewer restrictions on data access, not more.
The audits – conducted by E-Safe Systems as a security baselining effort for potential customers – monitor ongoing employee behaviour over a period of time using a client application that is installed on large numbers of corporate computers and tracks all file access and other user activity.
Employees are frequently observed copying files to USB drives, uploading sensitive files to cloud-storage services like Dropbox, and the like – which, chairman and CEO Ian McKinley told CSO Australia, supports the case for security practitioners to become more proactively engaged with employees through a framework that makes it quite clear they're being observed.
Security providers have generally “approached the issue of security with a blocking mentality that presupposes you can stop things happening,” McKinley explained.
“If you build a system around the assumption that you are hostage to fortune, you're trying to prove a negative – which is logically impossible. So many providers come from an antivirus mentality but it's always a balance between usability and security, and you can't just keep saying 'lock it down' and expect to get more secure.”
Technology developed by e-Safe – a UK company that maintains an R&D centre in Kuala Lumpur and recently established an ANZ sales office in Sydney headed by country manager Rizwan Mahmood – takes a different approach, enforcing controls over corporate information based on its level of sensitivity and following centrally-defined corporate rules to intervene whenever employees attempt to perform certain actions with sensitive corporate data.
Significantly, the platform is designed from a business rather than a technical context – meaning that documents are tied to business reporting structures and notifications of potential document misuse are sent straight up that structure.
Rather than trying to patrol document misuse after the fact, e-Safe's design allows employees to copy or print whatever they need – as long as they're willing to explain their activities in a written sentence that is sent to their supervising line-of-business executive.
“We have the opportunity,” McKinley said, “to create the rules in a distributed fashion, to monitor the rules that are being applied in a distributed fashion, and perhaps most importantly of all, to report potential problems in a distributed fashion to a person who is capable of understanding the implications of what somebody has either done or attempted to do.”
Knowing that the managing director of the company will get an email alert when they copy financial records or customer lists presents will often be enough deterrent to stop casual exfiltration of company information.
Those that do proceed with the action will know they're being monitored – allowing their supervisors to quickly notice and deal with potentially problematic insider activities of the type that were regularly observed during introductory network-activity audits.
“You're engaging all the time with the user and saying 'we're not going to lock you but if you take liberties with this, we're going to know',” McKinley said, noting that document security “is not a technological problem but a human problem.”
The importance of document-based security protections has come into sharp relief in recent years as the ongoing and deepening tide of security breaches forces organisations to accept that their perimeters are no longer the inviolable barriers they used to be. Tighter security is possible but efforts to balance it with employee usability have often fallen flat and the proliferation of cloud-based services has challenged notions of compliance and forced companies to a new operating posture.
Some operators have leveraged cloud platforms to help in these areas, putting policy engines in the cloud and securing cloud productivity applications to enable defence in depth security paradigms that, Gartner recently forecasted, would accelerate cloud services' role in building new security defences.
This shift has one more added consequence for already over-worked IT managers: as well as confronting potential document exfiltrators at the moment of their deed, the ability to define distributed policies for data-protection controls reduces the burden on IT staff to maintain exclusive vigilance over the exfiltration of company data – a role that has often been inherited because of their assumed dominion over all things security-related.
“We're decentralising the capability to define what is important, and at what level,” McKinley explained. “We're decentralising the reporting back to the person who owns the data, and who classified it in the first place. It really reinforces the idea that security is everyone's responsibility.”