Code42 pulled some anonymized, aggregated data from Incydr, a SaaS data risk detection and response solution, showing how users move and exfiltrate data and files. The most exposed type? Business documents – the focus of some recent high profile news such as Ticketmaster.
In the month of November, a total of 144M file exposure events occurred across 185K endpoints. While this is a significant number, it is only 2.4% of the total file events (files created, modified, deleted, shared to trusted domains) that occurred in the month. Key findings include:
- On average an employee exposed 22 files per day in the month of November
- Specific files that were exposed most often: 33% business docs; 5% source code; 4% zip files
- Weekend file exposures took off – Q4 2020 saw an average 17.8% of data exposure occurrence on the weekends (reaching a new high around Thanksgiving)
Email and removable media remain common sources of data exfiltration, says Code42, but the cloud era has opened the door to countless cloud services, browsers and other applications like AirDrop, WhatsApp, Slack, WeChat and more. While the exposure vectors are vast, the most pervasive exfiltration vectors identified in the month of November were:
- 50% removable media, up significantly from 33% in October
- 41% synced to a cloud service
- 6% read by browser or other application
- 2% shared outside of trusted domains
- 1% links were made publicly available in the cloud
It is crucial to understand exactly what data is exposed – that is the pinnacle to managing insider risk. To get some insight on this issue, Security magazine spoke to CEO of Code42, Joe Payne:
Security magazine: What strategies should security leaders put in place to protect against this type of data exposure?
Payne: Many security teams are still too reliant on traditional DLP and blocking strategies, which can frustrate employees and ultimately impact productivity. In fact, our recent research shows that 51% of employees complain that their legitimate file sharing activities are mistakenly blocked on a weekly or even daily basis. Disrupting employees’ work and productivity by using traditional DLP simply doesn't align with my goals as a CEO and doesn't work for today’s remote, distributed workforce. To limit insider risk, security teams need to adopt the three T’s of an Insider Risk Management (IRM) program – transparency, training and technology.
First, be transparent. Tell your employees you have an Insider Risk Management (IRM) program, that you’ll be offering regular training and using technology to keep company data and employees safe. Being transparent is a critical deterrent in an IRM program.
Next is training and awareness. It’s up to leadership to adopt policies and procedures to embrace collaboration long term and then train employees how to keep data secure in your environment. In research we published in February 2020, 36% of employees told us they are more complacent about data security practices due to the increased emphasis on collaboration. Don’t let your guard down. Employees must be up to speed and well-equipped to deal with the risks they both inadvertently create and are confronted with every day. With widely distributed workforces, be sure to include tips on securing home networks, what to do during application outages and how not to fall victim to phishing emails. Employees also need to be trained on what work-product belongs to the organization and what work-product employees are allowed to keep for personal use.
The final “T” in an IRM program is technology. The collaborative way we work today requires monitoring all data, vectors and users moving throughout the organization so insider risk events can be prioritized and response can be proactive, automated and right-sized based on the severity of risk. Instead of focusing on blocking employees’ collaboration activities, an IRM approach promises that organizations don’t have to compromise the speed of their innovation nor the safety of their data.
A bulk of today’s file collaboration and sharing happens within business documents. Telemetry data showed that in November 2020, 33% of file exposures happened across business documents. Business documents are innocuous, right? Not necessarily. The contents of business documents can hold incredibly important data, like passwords, customer lists, IP, source code, etc. Rather than being ignorant to the data exposure and contents of files, with proper investment in IRM technologies, you can gain needed visibility of file contents to investigate and respond appropriately to file exposure events based on the severity of Insider Risk.
Security magazine: In 2021, with remote work still in place, do you expect the insider risk to grow?
Payne: In short, the answer is yes. A remote, collaborating, off-network workforce creates a perfect storm for data leaks from insiders. According to our recent Data Exposure Report, 63% of IT security leaders say remote workforces pose a greater risk to data for these top four reasons: home networks are less secure; employees do not follow security protocols as closely as they do when they’re in the office; employees are likely to use personal rather than corporate devices; and employees believe their organization is not monitoring file movements. What’s more, IT security leaders themselves believe Insider Risks will only continue to grow – 59% expect Insider Risks to increase in the next two years, due to users having access to files they shouldn’t, employees’ preference to work how they want regardless of security protocols and the continuation of remote work.
Insider Risk is not a new threat vector, but COVID-19 exacerbated the issue. Remote work is not a new way to work, but COVID destigmatized and normalized it. With some form of WFH here to stay and rising employee burnout rates, employees are 85% more likely to leak sensitive files now than they were before COVID (28% pre-COVID to 52% today). Despite this outlook, our study also shows that more than half of organizations don’t have an insider risk response plan in place. It’s critical that organizations act now to protect their data with an Insider Risk Management program before complacency puts their business at unnecessary risk.