While threats to data security and privacy are often perceived to come from the outside, all signs point to internal threats being just as dangerous, intentional or not.
Forrester recently released its Understand the State of Data Security and Privacy report, which offered insight on the reasons behind data breaches, with internal threats emerging as the leading cause. The survey -- which featured respondents from Canada, France, Germany, the UK, and the US from SMB and enterprise companies with two or more employees -- also covered other topics, including how security budgets are being allocated and the changing landscape of security teams' responsibilities.
According to Forrester's research, insiders take the cake as the top source of breaches in the last 12 months, with 36 percent of breaches stemming from inadvertent misuse of data by employees. Obviously, the issue here is ignorance; the study's numbers indicate that only 42 percent of the North American and European SMB workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they're even aware of their organization's current security policies.
"People don't know what they don't know," said Heidi Shey, a Forrester analyst and the author of the report. "You've got to give them some kind of guidance and guard rails to work with."
It's also important, however, that the enterprise has some amount of visibility to what's happening on its networks, given that 25 percent of respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year. While a lot of security focus is on looking outwards and what's coming in, said Shey, there also needs to be some attention being paid to looking inwards and seeing what's going on within the company and what's going out.
There could be, for example, someone who has employee level access to segments of the network so everything they do looks like employee activity. As such, companies often aren't looking at something like that even though it could be suspicious.
"Security teams need to look at this and ask, is this normal? Is this a normal pattern? Is this what the typical employee does as part of their work, or is this behavior out of the ordinary?" said Shey. "Spotting these kinds of patterns is one way to address that issue."
Of course, implementing the means to track this kind of behavior is often easier said than done. While the survey results indicated that 17 percent of the collective security budgets of the respondents was going towards data security (the second highest allotment behind network security at 21 percent), that doesn't mean as much if the budgets themselves are light on funds in the first place. As such, how exactly these companies choose to invest in data security solutions is important.
Often, companies take their budgets and only (or mostly) invest in technology and expect it to do the rest of the work for them, explained Shey. They're not investing in the front end, like internal processes or policies, that aren't necessarily technology. Some of these solutions need to be fine-tuned or fixed so they look for exactly what the company wants.
"Until they get their house in order on the front end, anything they throw on the other side is not as effective as they would have hoped or expected it to be," said Shey. "If you don't know what your data is or what you need to protect, you can't do much to protect it properly."
Since some of the solutions, like data leak prevention (DLP), are not a silver bullet, Shey recommended a more holistic approach to security by using a data control framework. Things like DLP and encryption are useful for data protection, she said, but they're very tactical. "You need to be more strategic on a higher level," she said. "That's where this kind of framework comes in."
The framework is split up into three parts, the first of which involves a company defining its data, the very thing it wishes to protect. So aspects like data discovery, classifications, and determining what exactly the company values all come into play here.
Then companies need to dissect their data. Companies typically have traditional reporting tools, said Shey, which tell them about alerts and events. They can then analyze this data and see what information they can glean about visibility, their environment, and what exactly is going on in that environment. They can also look at data flows to see where it goes and how it's being used. By looking at their security data and info about their data, companies can determine the requirements that need to be put on the type of data they're handling.
The final part of the framework is, of course, defending. Defending and inspecting access controls, proper data disposal (getting rid of data that is no longer needed, as it could be a liability), and killing or encrypting data are all imperative in carrying out the last step of the data control framework.
"The framework is a way we found to be really helpful with enterprise clients," said Shey. "It's a good way to think about this whole big picture view on how to handle and treat data in the enterprise."
Security teams are beginning to take on more responsibility, too. When it comes to privacy, security is only one aspect of the larger picture and as such, IT security groups generally are not the only ones involved. The survey results, however, indicated that 30 percent of the respondents' security teams were "fully responsible" for privacy and regulations, with the most frequent answer being that security is "mostly responsible" at 34 percent.
This contrasts with 2012, when responsibility for privacy and regulation appeared to be shifting towards a dedicated privacy officer. The changes in 2013 may not necessarily be a beneficial change either, however, as privacy programs should first mature and security teams could get overloaded with the extra responsibility.
"With data security, people think of it as a technical thing," said Shey. "But with privacy, there are a lot more cooks in the kitchen. Because of that, you'll see a greater variation in the proportion of folks."
Shey went on to give examples of other involved parties, including those in a company's legal department, given the risk in compliance. There are also, as previously mentioned, dedicated privacy groups and privacy functions at a company, but this may not always be the case.
"A lot organizations haven't invested in a dedicated privacy group or function," said Shey. "So instead there are often IT teams with legal or risk and compliance groups that have more privacy responsibility. It's an extra role on top of security."
That said, security and privacy go hand in hand. Privacy is more the regulatory side of things, while security is the enforcer side of it; security ensures that the measures that are in place are actually supporting the privacy initiatives and policies. Shey points out that while it's good to see that companies are caring more about privacy, they may realize going forward that they should have a dedicated group."
"It shouldn't be an add-on on top of what a security group is already doing," said Shey. "The security group should be involved, but they don't need to be the ones leading privacy efforts."