The threat comes from insiders with privileged access, as well as outsiders who may look like insiders—the proverbial wolf in sheep’s clothing. “It’s getting harder and harder to tell the insiders from the outsiders as supply chain partners, customers, and flexible staff have greater and greater access to data for non-employees,” said Ron Faith, CEO of Datacastle.
The threat of a rogue insider “has always been present, but the amount of data that insiders have access to has only grown over time, making unintentional disclosure of sensitive information an ever growing source of breaches,” RSA’s Sadowski agreed. “The distinction between outsider and insider threats is becoming meaningless, as the preferred method of intrusion for sophisticated threat actors is to obtain and use stolen credentials so they can appear like a legitimate insider and blend in as they work to accomplish their objectives.”
The challenge is exacerbated when employees accidently open the door for the wolves. “Recent breaches have occurred as a result of human failure rather than technology failure because today’s hackers target people, not systems,” said UHY’s King. “Last year alone, roughly one-third of reported attacks were carried out by well-meaning employees and vendors who inadvertently circumvented their company’s cybersecurity controls. Because of this, the line between insider and outsider breaches is blurred.”
Hackers know “that entering a system with legitimate credentials is one of the best ways not to sound alarms in IT security,” Bomgar’s Elliott added. “A malicious insider is dangerous because so many companies haven’t instituted protections internally on levels of access to sensitive information. Many of the largest, most damaging data breaches in the past year have been the result of stolen and misused privileged access.”
Often, data infrastructure itself is not conducive to smarter security—“a byproduct of the way that organizations have built their data infrastructures for the last 30 years,” said Joe Pasqua, executive vice president of products for MarkLogic. Data is managed piecewise in silos, and security of each of these silos is handled independently. “Users often need to operate on data from multiple silos, which leads to pulling data from multiple systems into insecure, ungoverned environments where the data is at much greater risk,” Pasqua noted. Increasingly, organizations are also setting up data lakes, data marts, or other extracts of the data, he added, pointing out that these new environments “also don’t carry the governance or security controls from the original environment.”
Mistakes Were Made
How can enterprises ramp up their security posture? There may be too much reliance on technical fixes and not enough understanding behind the solutions. “One mistake companies are making in the area of data security is using industry-standard techniques, such as SSL and encryption, but not actually grasping the fundamentals of how that technology works,” said Michael Dean, chief technology officer at Telerx. “We have seen cases where a vendor proudly declares that values in their database are encrypted, only to discover that they left the encryption key completely unsecured. Others would secure all websites with SSL, but leave a backup of the certificate and private key in a conspicuous place. It is easy for an IT department to implement standard security protocols, but if there is not a full understanding of how the technology and its surrounding pieces work, it may be of little benefit.”
Often, businesses will throw considerable sums of money at solutions, without properly integrating them into their processes. Enterprises “have invested billions into security, but where they fail is the content to support the technology they purchase,” said Stephen Coty, chief security evangelist for Alert Logic. “This is done by not having the right expertise and knowledge of vulnerability reverse engineering and security content development.”