As we made an almost overnight move to a remote workforce as a result of the pandemic, we have increased data security risks and new risks for data exfiltration. The result of this is inevitable security gaps in data and intellectual property (IP).
How has data security changed from insider threat?
A new strategy needs to be developed for employees working from home. We have tried to address the insider risk in several different ways, primarily through data loss protection technology, but that has not really worked.
When working in the office, users can feel like people are watching. When working remotely, they do not always feel that way. People can feel a little bit more entitled to pull information off their work machine or share things in unsecure ways. You need to know when certain files move and where they go, and then react as quickly as possible if there is a potential problem.
In a recent report published by Code42, research found that 66% of data breaches over the past year were linked to inside jobs. Most companies spend 10% or less of their security budgets to address insider threats, their excuse being that they only hire trustworthy people. This needs to change because the market is changing. With the increase in contract workers in our environment, combined with talent moving from one company to another; intellectual property and data can be at a heightened risk.
How has data risk changed since COVID-19 and the remote workforce?
Organizations that have already moved to cloud based SaaS solutions are pushing more operations into the cloud, and those who had not yet made those moves are rushing to do so. Since the move to the majority of people working remotely, we have seen an increase in phishing and other adversarial activity. Your organization needs to determine new risks and create an action plan for each.
It is not the job of the corporate information technology (IT) department to secure employees’ home networks, but all of those home setups have now put your company at risk. You need to develop protocols and guidelines to help secure a remote workforce. Consider making your help desk available to assist employees if needed.
An example of a red flag to look for is when users request access to systems they may not need. Manager access review is important to ensure employees have the correct rights and access.
How do you prevent employee theft of IP amid a remote workforce and downsizing?
IP theft has always been a problem, whether using a remote workforce or not. How do you protect and secure data from those people that have access to it? Company policies need to make it very clear that “thou shalt not steal our IP.”
You might think this is overkill, but in order to take legal action against an employee who has stolen IP or may have stolen IP, you have to lay out expectations. You must have clearly stated access privileges and access rights that employees are aware of. One of your tools for protection of company IP is the Computer Fraud and Abuse Act, which is a federal law. This law can be applied in all 50 states, plus D.C.
In order to use this, you will need to show the employee exceeded their authorized access to a protected computer system, which means they purposely did something they knew they shouldn’t have. The risk of IP theft can be reduced by implementing certain controls such as:
- Do not allow local printing, unless there is a need for it.
- USB ports that are open should be locked down.
- Consider additional monitoring on the endpoint, especially around email.
- Carefully monitor those giving notice or being let go; this creates a situation where people may take data they should not be taking.
- Most companies have everything logged, but active monitoring needs to be in place.
Share with your employees that you have insider threat monitoring in place for the protection of everyone. This communicates and level sets that stolen IP will result in consequences.
Which controls help most as you go from network-centric to data-centric security?
A combination of technologies, tools, strategies and education is most effective. For those information assets sitting on a clearly defined network, a more traditional information security approach is fine. When we’re talking about integration of external services, software as a service or any type of cloud-based or off-site implementation, a more stringent approach is recommended. Either a fully implemented single sign-on service or a zero-trust model is recommended when it comes to securing this type of information.
How do you address data security and third-party vendor risk?
Your organization needs to make sure third-party vendor access restrictions are appropriately in place. Verifying that any third-party is doing their due diligence for their information security is also necessary. Allowing others access to your information may compromise that information, based upon their data security protocols. A virus, malware or even a hacker could use a third-party connection to move from their network to yours. You need a robust third-party management plan that addresses their vendors also.