The average enterprise manages hundreds of disparate applications, many of which store and transmit sensitive information. Security leaders have the responsibility to prevent, mitigate, and detect insider threats in this complex landscape of software, which can be extremely difficult when a simple inadvertent typo could result in data loss.
So, how can leaders foster a culture that prioritizes security, empowers employees, and mitigates insider threats—all at the same time?
It may sound like a tall order, but it’s achievable. In a recent webinar with Information Security Media Group (ISMG) entitled Shaping Stronger Security, Virtru’s Rob McDonald, Executive Vice President of Platform, and Trevor Foskett, Senior Director of Solutions Engineering, shared stories from their own personal experiences. Here are some of the highlights from their conversation.
There are three main types of insider threats that security leaders should be aware of: Malicious, inadvertent, and third-party (e.g., a vendor, application, or supply chain partner with access to your organization’s data). McDonald highlighted that it ultimately comes down to willingness and intent: If an employee has put company data at risk, were they doing so willingly, and did they have any intent to do harm? Often, the answer is no — they simply made a mistake.
“It can simply be their normal workflow, someone doing business as [usual],” said McDonald. This makes inadvertent insider threats extremely difficult to detect and identify, he said, because there are no clear patterns or behaviors that lead to an incident. “These are the hardest ones to spot because it can be anybody,” Foskett added. “It can be the CEO, or HR typing the wrong keystroke.”
An audience poll confirmed that 83% of webinar attendees saw inadvertent insider threats more frequently than malicious or third-party threats. “That answer is not surprising to me at all,” Foskett said. “Not many [customers] are asking, ‘How can I prevent someone who’s actively trying to exfiltrate data for nefarious purposes?’ But a lot of the questions are, ‘What if someone does this accidentally, or they don’t know that what they’re sharing is sensitive?’”
It’s especially difficult to detect insider threats as the number of applications, and the number of users, continue to grow in an organization. “Having been in the healthcare space, purchasing and utilizing tools and supporting a workforce, and now building tools to support those same users,” McDonald said, “Any time you add an additional individual, it’s not a 1:1 linear increase of risk; it’s exponential. Chaos theory kicks in and you have no idea what those individuals are going to do, and it’s not malicious, but it’s that complexity of interactions, that chaos nature of human interactions, make this answer unsurprising.”
In an expansive ecosystem of apps, data is the common denominator, says McDonald. Protecting the data itself has to be a key priority.
With a large SaaS ecosystem, Foskett said, “There are all these ways that you can share data through all of them, so when you take a step back and look at that, you need to understand how that data can move through there. Introducing a data loss prevention solution, introducing encryption, can mitigate that by protecting the data as it moves through all these different places. If it’s moving through there with protection attached to it, the risk associated with using all these different services is much lower than it would be if you were exposing all that data up front.”
Focusing on the data gives organizations greater flexibility to adopt new technologies and apps, which can be powerful for recruiting and retaining top talent, McDonald noted. “More flexibility is more sustainable.”
“Today, the use of these tools, SaaS apps, and collaboration ecosystems are encouraged for organizations to be competitive,” McDonald said. “Think about the shift in the employee landscape — there’s higher demand to bring and use any tool I want.” Talent today expects to be able to bring their own tools to the table, and by protecting data itself wherever it goes, there’s less concern around the apps being used, because security teams can be confident that the real asset, the data itself, is secure.
“Employees’ jobs are not necessarily to know the ins and outs of a security program,” said McDonald. Employees are primarily focused on their own area of work, which could be supporting the purchase process, creating marketing materials, or providing customer support. Security leaders have to meet employees where they are, as well as put tools and parameters in place to lessen the surface area of risk.
Leadership is key to cultivating engagement around security, Foskett and McDonald agreed. “Security has to be a collaborative and cross-functional process,” McDonald said. “There has to be a cadence of communication and feedback, or otherwise it’s just preaching to an audience. Through a regular cadence of communication, you can share knowledge more effectively. That buy-in, that alignment, is required for awareness to go across the organization. Without awareness, there’s no adoption, and with no adoption, there’s no posture.”
Foskett mentioned a quote that has stuck with him: You don’t want to do security to your organization; you want to do security with your organization. “You see that a lot: People feel stifled or like they’re the enemy. If we all work on this together, they’re more willing to work with you. Give them tools to work within that framework instead of making it restrictive and complicated,” Foskett said.
McDonald noted the importance of delivering this information in an engaging way: “Why would we ask the audience to go through something horribly dry and unengaging, and expect them to come out on the other side an expert? It’s just not going to happen.” By making security conversations compelling, informative, and engaging, organizations can better prepare their people to handle the sensitive data they’re entrusted with, and to confidently navigate an increasingly complex digital world.
To hear the full conversation, download the Shaping Stronger Security webinar on-demand. If you’d like to learn more about how to leverage Virtru to apply data-centric security across your application ecosystem, as well as gain visibility into your employees’ data sharing behaviors, contact Virtru to start the conversation.