DLP and the Insider ThreatCISOs Focus on External Leaks, But What's Happening Internally?
My late father, who worked for the Vigilance Department of India's National air carrier, used to cite cases of cheating and fraud, many of which seemed to be perpetrated, or at least "assisted" by the airline's own staff.
Years later, fresh from university and armed with a degree in computer science from the UK, my first assignment included information security auditing for one of the world's largest fast-moving consumer goods companies. During one such audit, I experienced a security incident that brought back memories of the cases my father shared. The commonality: My incident, too, was perpetrated by an insider.
There is a grim need for organizations to make serious investments in technology to protect their data from being leaked by their own employees.
Having until recently spent more than a decade heading the information security division for one of India's oldest, largest and most respected multi-national business houses, I realize that there is still a huge potential for leakage and theft of corporate data. This in spite of corporations investing in the best of technology, including firewalls, intrusion prevention systems, intrusion detection systems, etc., to protect their data from external hackers or "outiders." However, look up any statistics on the Internet and they all reveal that the maximum amount of data leakage occurs from within the organization. Speak to any CISO, and their biggest concern is compromise of data from within. This was my concern as a CISO, too.
My experience is that senior management is willing to invest money to protect the organization's data from external hackers - an absolute must - but are hesitant to invest in technology that protects their data from theft by their own employees. Be it because of financial burden, lack of awareness or the culture of "trust," business houses and BPOs are still insensitive to this dark side, until they experience a data breach and burn their fingers. Senior management needs to accept that external hackers are not the only source of their confidential data being leaked. The insiders, who have easier access to their data, are capable of such data leaks and need to be monitored too.
There is a grim need for organizations to make serious investments in technology to protect their data from being leaked by their own employees, be it an unintentional mistake or malevolent intent. Such sensitive data can take various forms: financial statements, business strategies, patient details, credit-card details, intellectual property, source code sent with CV to competitors, etc.
In an organization where I consulted recently, a data leakage prevention (DLP) solution was in place. But what was alarming was the seemingly "non-techie" person finding new ways to try to leak corporate data for financial gains. Credit card details, personal details of customers, etc. were all attempted to be siphoned off using the file upload facility on Facebook and even sites that convert files from one format to another. Downloading of data on some models of smart phones was not trapped by these solutions, albeit other avenues cited above were detected.
My observation was that a mix of products from various vendors was perhaps the best answer, but then this has its own drawback to view the data as one big consolidated picture. A non-banking financial corporation in India recently deployed a DLP solution, and in spite of making the employees aware that they were being monitored, a huge amount of confidential information continued to be leaked. This led to the sacking of some employees, but once again, the alarming discovery was that other employees still continued to find ways to attempt to leak confidential data.
Senior management fails to realize that these insider leakages affect the business, and thus the profits, in very much the same way if this data was compromised by an external hacker. Companies and BPOs must invest in this technology especially if they are to remain compliant with standards such as the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard. How would the organization handle the impact on the brand and reputation if this data was compromised? What would be the remediation cost?
DLP solutions are designed to detect potential data breaches and prevent them by monitoring, detecting and blocking sensitive data through deep content analysis. It is imperative that the organization identifies the avenues through which an insider might leak confidential data. This might be through data in-use, e.g. mobile, DVD/CD, USB, print, network shares, etc., through e-mail, Webmail, FTP, instant messaging, or through data storage mediums such as file servers, databases and e-mail servers.
Once senior management is committed to protecting leakage of data from insiders, certain steps need to be adhered to for successful implementation of the project. For example, planning, creating awareness and educating the employees, having a data classification policy and solution in place, involvement of a primary business owner in conjunction with technical management, well-defined processes - they all contribute toward a successful DLP project implementation. Configuring and fine-tuning of policies takes time and needs patience. The most disastrous route one can take is to adopt "out-of-the-box" policies. Such a decision would lead to spawning a huge amount of unmanageable data generated from a combination of false positives and false negatives.
Berjes Shroff is the founder of the IT security consultancy BERJ INFOSEC. He has more than two decades of experience in diversified fields of technology and security, and most recently was deputy GM - technology security for Vodafone. Prior to that, he spent 16 years with the TATA Group, serving as CIO for Tata Services Ltd. and a chief information security officer for Tata Services, Tata Sons, Tata Industries and the HQ of the TATA Group.