Although companies are always at risk for data security threats from the outside, employee activities cause a fair share of data breaches, too, a new survey finds.
Spectorsoft, an employee-monitoring solutions provider, released their survey "Insider Threat: Alive and Thriving" today (Sept. 24), revealing that 23 percent of enterprises have experienced a data breach from the inside.
According to the survey, intellectual property (IP) is one of the most-frequently breached data types. Further, IP, business plans, technology designs, and mergers and acquisitions information are breached 44 percent of the time. Employers also said 47 percent of former employees break confidentiality and non-disclosure agreements, taking company information with them before they leave the organization, the survey found.
The study also revealed that, although companies have protocols in place to prevent data breaches, many employees often break company policy. Fifty-three percent of companies said employees use company-issued devices to send business-related information to personal email and cloud-based file-sharing accounts, such as Gmail and DropBox.
Jason Judge, CEO of SpectorSoft, talked to BusinessNewsDaily and provided the following tips on mitigating data breaches and monitoring employees:
BusinessNewsDaily: What steps can employers take to enforce company policies?
Jason Judge: It starts with education. First, make sure employees are aware of your organization's policies. Simply having an employee handbook or acceptable use policy doesn't mean anyone has read them. Have employees acknowledge that they are aware of acceptable use policies and that they have read them. Whatever your organization allows will continue to take place. You need a way of validating compliance with the policies. You need to let employees who violate [these regulations] know that policies exist for a reason and that they will be enforced. Otherwise, you should not expect much in the way of adherence.
BND: What types of controls can employers implement to prevent IP breaches?
J.J.: Make sure your organization manages who has access to this type of critical, confidential information. There are people who legitimately need access — make sure access is limited to those people. Now the question becomes, "How do you ensure that people use the accesses they are granted properly?" That's the unique challenge posed by the insider threat. I believe you need to focus on the activity of the insiders themselves. That way, you have a clear record of what was done and the context to understand why it was done. There are a lot of solutions focused on preventing unauthorized access, but they can't effectively deal with the insider threat. If it were a simple matter of setting the right permissions, we wouldn't be seeing so many stories on data theft.
BND: How can employers make sure former employees adhere to confidentiality and non-disclosure agreements? CAN employers do this?
J.J.: They can. The theft of IP models created by CERT — the cyber defense and security division of the Software Engineering Institute at Carnegie Mellon University — show that most insiders steal IP within 30 days of leaving an organization. When someone gives notice, it's common sense to start actively monitoring his or her activity to protect your information. Better, if you have a detailed, 30-day log of activity for all employees, you can simply check the records and insure nothing was taken before or after notice was given. Should you find evidence of IP theft, you can deal with it quickly and proactively.
BND: Popular personal email and cloud-based file-sharing providers are typically secure. What makes them risky when transferring company information, and how can employers stop employees from using these services?
J.J.: The issue isn't the security of these services. It's the fact that company data has left the control of the company. Once it's moved to one of these solutions, there is no way for the company IT or security folks to safeguard it, or even know where it is. Companies should set policies about who can and cannot use these types of offerings. That said, I don't know that employers can fully stop them from being used by employees that want to use them. New services are popping up all the time. And for the most part, employees are using them to increase productivity. Finding and blocking all of them is not easy. Data loss-prevention solutions have a role to play here, but they are not context aware. You need to be alerted when sensitive data is uploaded to one of these offerings, and you need to have a clear picture of the user activity leading up to that alert — so you can understand whether you have an employee taking some work home with them for the betterment of the company, or a security issue that needs to be dealt with. Otherwise, you risk being overwhelmed by false positives.
BND: Privacy is a huge issue. How do organizations overcome privacy concerns related to employee-monitoring software?
J.J.: Research shows that employees do not see monitoring during work hours on company-issued computers as an invasion of privacy. Many expect it, with 91 percent of employees accepting having their computer activities and behaviors monitored during work hours. To make it even easier for employers to deploy activity-monitoring solutions in an age where privacy is an issue, though, we have designed Spector 360 Recon to strike a balance between the two critical factors.