Don’t Be A Creeper: Benefits Of Data Loss Protection Prevent Data Access Creep
Ensuring Your Organization’s Data Remains When Employees Leave The Business
Last year, 40 million people changed jobs and survey results found that 60% of them admitted to taking data when they left. 90% of these inside threats go undetected for months. By the time companies find out about them, the damage is done.
Cyber Security Hub hosted a webinar with a pair of security leaders to share their perspective on managing the risk for enterprise data loss: Dr. Rebecca Wynn, a CISO in Information Technology and Michelle Killian, Director of Information Security for Code42.
Having led security teams and strategy in several industries, Rebecca shared her professional opinion that when an employee leaves, data loss occurs no matter how large or small the organization. The risk of data loss can come from anywhere: an employee in any department, a contractor, an intern, C-level executive, a board member, a 3rd-party vendor or even a guest. And the type of data can also be anything: a customer list, an employee list, finance and budget information, upcoming news releases, source code, database schemas, policies and procedures, and risk assessments. Often times, it is not understood that the template used to capture information would be deemed proprietary to an organization.
Rebecca said it is important that policies, procedures and training about what can be taken from an organization be communicated in a consistent way. Similarly, the response from the organization when information is taken has to be consistent. Technical tools are also needed to track information and its movement both inside and through third-party services.
Code42 was quick to realize the scope of this data loss issue. It realized that the primary cause of data loss was not due to malicious user activity, rather an issue that required additional awareness and education for the masses. Michelle characterized the challenge as making ownership clear throughout the organization. She used the example of sales data and how the perception of ownership has changed over time.
As recently as 10 years ago, salespeople were hired for their extensive relationships and the number of business cards in their Rolodex. That was the starting point for building prospects and when the employee left the company, the Rolodex left with them as their property. Now, in a world of CRM and electronic databases, the salesperson stills curates that contact database though it is merged with additional data fields and notes on pricing, negotiations and contractual terms and conditions. The company would never consider the salesperson leaving with this type of data; however, was that expectation consistently communicated with the employee? There are a lot of grey areas when dealing with insider threat.
Once the risk of data loss has been identified, what parts of the organization are responsible for enforcing that data does not leave? Avoid confrontations and “shaking down” the employee when they leave in favor of establishing partnerships between security and other stakeholders.
Legal, compliance and HR are examples of key stakeholders within the organization worth partnering on the data loss challenge, said Dr. Wynn. Spikes in data loss occur anywhere from a month before an employee departs to two weeks afterwards. When the off-boarding checklist is being followed, request that the departing employee signs off one more time about disclosures and sensitive data. And offer an easy path for the employee to return data that was inadvertently taken.
Traditional data loss prevention tools restrict known formats, such as credit card or Social Security numbers, said Killian. Find ways to let users ask the questions (“Can this go with me?”) rather than try to capture people. Self-reporting removes a lot of the friction associated with employment separation.
The definition of sensitive data should be defined and reviewed frequently. With the broad use of social and professional networks included in contacts, ownership and legality should also be considered if this is a component of the organization’s business. Visibility becomes essential, said Killian, and the visibility needs to be in the present as well as historical.
Employees with the longest tenure or the most senior titles should not necessarily have the most data access. The speakers recommended authorizing data access at the onset of a project to only the necessary personnel. At the project’s conclusion or when resources change, permissions to access data should be adjusted accordingly.
Companies often have access creep and Rebecca said that she tells people, “don’t be a creeper.” The workforce are thinking about how to get the job done. They’re not thinking about permissions and who might be compromised. Even a change in roles necessitates going back to a baseline of access. Data loss most often comes from what workers have access to so “visibility remains crucial,” noted Michelle Killian.
A question was asked about the difference between Data Loss Prevention and Data Loss Protection. The traditional data loss prevention approach has focused on “stopping the bad thing from happening,” said Code42’s Killian. This is the detection of known data structures, such as the social security number and credits card number. Data loss protection is having visibility to where the data lives, who has access to it, and where it’s going.
Data loss protection starts with defining the types of information deemed sensitive to the organization. Identifying partners and internal stakeholders alleviates the situation where security is viewed as the Big Bad Wolf policing data leakage. Effective communications with the workforce and restricting access to data helps mitigate the risk to the organization and reminds everyone to “don’t be a creeper.”
View the complete webinar on-demand: Preventing Enterprise Data Theft From Departing Employees