This article on data-centric security was originally published by Rob Sloan in the WSJ Pro Cybersecurity newsletter.
Most organizations accept it is only a matter of time before they suffer a damaging cyber attack. Businesses constantly seek to balance convenience and security, allowing the business to function while protecting critical data assets. Protecting information from remote threats is tough, but defending against internal threats can be tougher still.
Corporate security teams are fighting a losing battle by attempting to secure networks and endpoints, leading to some organizations concentrating efforts on securing the data itself, rather than infrastructure. Increasingly, businesses are exploring data-centric security approaches to allow them to lock down user authentication and access rights.
Recent insider threat examples support the need for a new approach. Edward Snowden and Chelsea Manning were both able to access and download thousands of documents. Likewise Booz Allen contractor Harold Martin, who was indicted in February for hoarding data from the National Security Agency over a 20-year period. Mr Martin’s motivations remain unclear.
The issue does not solely affect classified data though. In February, Alphabet Inc.’s autonomous vehicle unit, Waymo LLC, filed a law suit against Uber Technologies Inc., alleging the theft of trade secrets related to the lidar scanner, a radar-like device. A former engineer, Anthony Levandowski, is accused in the suit of having downloaded thousands of documents before leaving Waymo to start his own self-driving tech company, Otto, which sold to Uber only months later for $680 million. Uber has previously declined to make Mr. Levandowski available to comment on the allegations.
Insiders aren’t always motivated by ideology, personal gain, a grudge or intentions of whistleblowing. In many cases employees simply want data they created for later reference and do not see the potential for harm.
The first line of defense is policy. An employment contract should make it clear that removing data from the corporate network without permission is grounds for termination. Further, training should be provided in the correct procedure for removing corporate data in circumstances where it is deemed necessary. This ensures security in storage or transport and eventually its secure disposal.
Military network administrators often disable USB ports, thereby thwarting attempts to download data to removable media. Blocking access to webmail accounts and online storage sites similarly makes data theft harder. While these steps may cause unnecessary disruption in most businesses, they may be appropriate in some parts of the network where particularly sensitive data is created or stored.
Ajay Arora, chief executive of data security company Vera, says the theft of company data is nothing new: “IP theft has been going on for decades” but he adds “downloading thousands of documents nowadays is pretty brazen given the digital footprint is easy to trace back to an individual”.
Solutions like the platform Vera allow data to be encrypted at the point of creation and have access rights assigned to it. Those rights can be changed at any time to block an individual’s access, even after data has left the organization.
Mr. Arora says: “We often see employees downloading information prior to resignation because they realize they will be under greater scrutiny from the point at which they resign.” Monitoring a user after their resignation may be too late to prevent the download, but according to Mr. Arora, a data-centric solution allows access to be revoked “to all the files the individual had access to regardless of whether the data is still on the network or on their personal laptop.”
Mr. Arora has noticed an increase in preparedness: “Organizations are becoming more proactive and not waiting until a breach happens.” He added: “The CEO doesn’t want to be the guy in front of the board having to account for why the company had no protections in place. Five years ago that wasn’t the case.”
It is almost impossible to combat employees printing out documents or taking photographs of data on the screen, and no control can stop an employee leaving with knowledge in their head. However, organizations can significantly reduce the risk of massive data loss caused by employees with the right blend of policy, training, proactive monitoring and software solutions.
Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.