Skip to content
  • Fortra-Logo-TM-SkyBlue
  • File Sharing & DRM Blog
    • Digital Rights Management
    • Secure File Sharing & Compliance
    • Intellectual Property Protection
  • Partners
  • Company
    • About Us
    • Leadership
    • Careers
    • Contact Us
  • Support
  • Contact
  • Search
yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
  • Why Vera?
  • Product
  • Solutions
    • By Industry
      • Manufacturing
      • Media & Entertainment
      • Financial Services
      • Venture Capital & PE
      • Technology
      • Healthcare
    • By Technology
      • DRM
      • Data Classification
      • DLP
      • Secure File Transfer
      • CASB
      • Office365
    • Column 3
  • Customers
  • Resources
  • Pricing
  • Book a Demo
    Book a Demo
Vera  »  File Sharing & DRM Blog  »  Intellectual Property Protection   »   Cyber Matters: Countering Insiders with Data-Centric Security
Back to File Sharing & DRM Blog
PrevPrevious Post
Next PostNext
yH5BAEAAAAALAAAAAABAAEAAAIBRAA7

Cyber Matters: Countering Insiders with Data-Centric Security

  • April 24, 2017
  • Ajay Arora

This article on data-centric security was originally published by Rob Sloan in the WSJ Pro Cybersecurity newsletter.

Most organizations accept it is only a matter of time before they suffer a damaging cyber attack. Businesses constantly seek to balance convenience and security, allowing the business to function while protecting critical data assets. Protecting information from remote threats is tough, but defending against internal threats can be tougher still.

Corporate security teams are fighting a losing battle by attempting to secure networks and endpoints, leading to some organizations concentrating efforts on securing the data itself, rather than infrastructure. Increasingly, businesses are exploring data-centric security approaches to allow them to lock down user authentication and access rights.

Recent insider threat examples support the need for a new approach. Edward Snowden and Chelsea Manning were both able to access and download thousands of documents. Likewise Booz Allen contractor Harold Martin, who was indicted in February for hoarding data from the National Security Agency over a 20-year period. Mr Martin’s motivations remain unclear.

The issue does not solely affect classified data though. In February, Alphabet Inc.’s autonomous vehicle unit, Waymo LLC, filed a law suit against Uber Technologies Inc., alleging the theft of trade secrets related to the lidar scanner, a radar-like device. A former engineer, Anthony Levandowski, is accused in the suit of having downloaded thousands of documents before leaving Waymo to start his own self-driving tech company, Otto, which sold to Uber only months later for $680 million. Uber has previously declined to make Mr. Levandowski available to comment on the allegations.

Insiders aren’t always motivated by ideology, personal gain, a grudge or intentions of whistleblowing. In many cases employees simply want data they created for later reference and do not see the potential for harm.

The first line of defense is policy. An employment contract should make it clear that removing data from the corporate network without permission is grounds for termination. Further, training should be provided in the correct procedure for removing corporate data in circumstances where it is deemed necessary. This ensures security in storage or transport and eventually its secure disposal.

Military network administrators often disable USB ports, thereby thwarting attempts to download data to removable media. Blocking access to webmail accounts and online storage sites similarly makes data theft harder. While these steps may cause unnecessary disruption in most businesses, they may be appropriate in some parts of the network where particularly sensitive data is created or stored.

Ajay Arora, chief executive of data security company Vera, says the theft of company data is nothing new: “IP theft has been going on for decades” but he adds “downloading thousands of documents nowadays is pretty brazen given the digital footprint is easy to trace back to an individual”.

Solutions like the platform Vera allow data to be encrypted at the point of creation and have access rights assigned to it. Those rights can be changed at any time to block an individual’s access, even after data has left the organization.

Mr. Arora says: “We often see employees downloading information prior to resignation because they realize they will be under greater scrutiny from the point at which they resign.” Monitoring a user after their resignation may be too late to prevent the download, but according to Mr. Arora, a data-centric solution allows access to be revoked “to all the files the individual had access to regardless of whether the data is still on the network or on their personal laptop.”

Mr. Arora has noticed an increase in preparedness: “Organizations are becoming more proactive and not waiting until a breach happens.” He added: “The CEO doesn’t want to be the guy in front of the board having to account for why the company had no protections in place. Five years ago that wasn’t the case.”

It is almost impossible to combat employees printing out documents or taking photographs of data on the screen, and no control can stop an employee leaving with knowledge in their head. However, organizations can significantly reduce the risk of massive data loss caused by employees with the right blend of policy, training, proactive monitoring and software solutions.

Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.

Recent Posts

  • PII Compliance Checklist: How to Protect Private Data January 26, 2023
  • How to Prevent Third-Party Vendor Breaches January 17, 2023
  • How to Prevent Data Loss in 10 Different Ways December 19, 2022
  • The Complete Guide to Brand Protection December 15, 2022
  • Top Benefits of Cloud-Based Access Control November 30, 2022

Learn where DRM fits in your data protection strategy

Get started

Keep your most sensitive data in the right hands​

Schedule a demo
PrevPrevious Post
Next PostNext

Featured Blog

  • July 14, 2021
Heads up! New Canadian Data Privacy Act is Around the Corner
  • January 14, 2021
Enhancing Zero Trust beyond identity to data itself
  • January 14, 2021
How to Manage Data Risk in the Finance Function

News

Press

Events

Awards

File Sharing & DRM Blog

Digital Rights Management

Secure File Sharing & Compliance

Intellectual Property Protection

Follow Us

Twitter Linkedin-in Facebook-f Youtube
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. Terms of Service |  Privacy Policy  |  Cookie Policy  | Contact Us