The show floor at RSA was buzzing with discussion of attacks against critical infrastructure and state-sponsored attacks – the words hactivist and A.P.T. were uttered frequently. But, while cyber-espionage was making headlines from the show, Symantec took the opportunity to survey information security pros on insider issues related to data access and mobility. The findings show that although 76 percent of businesses saw cyberattacks in the past year, increased use of mobile devices is making the insider threat more relevant than ever before.
It should come as no surprise that the top three motivators for the move to mobility are: business drivers, user demand and financial savings. And, the top risks for employee-owned devices aren’t surprising either:
- Data leakage (i.e., data taken out of company by employees via mobile)
- Theft or accidental loss of valuable or sensitive information
- Preventing unauthorized network or applications access from mobile
Overall, security pros are pretty realistic about mobility, with nearly half saying the benefits outweigh the risks and challenges. No one would dispute that employees agree on this point.
Recent end-user research on these issues found that 62 percent of employees think it’s okay to transfer work documents to personal devices (tablet, smartphone, laptop) and Internet file sharing services. They do this regularly. And, you can’t really blame them because they’re just looking to do their jobs efficiently. But, they also never clean up the data they transfer out, making it a prime candidate for data spills/leakage – the top risk according to information security teams.
The good news is that results from the survey at the 2013 RSA Conference indicate Infosec has high awareness of employees transferring work documents outside the business – a nearly equal 63 percent of Infosec respondents say employees think it’s okay to do so.
But, are security pros putting too much trust in employees to do the right thing? Sixty percent of Infosec respondents say that most employees in their organization are cautious in the use and handling of sensitive or confidential information. Only 43 percent of employees say this is so. We also found a significant disconnect when it comes to consequences for taking sensitive information against policy. Fifty-three percent of employees say their organization takes NO action when employees remove sensitive information that is against policy. But, ask Infosec the same question and 74 percent say they do.
What it comes down to is not only are employees comfortable tossing corporate data onto personal devices and cloud services, but they also think their organizations don’t care and aren’t going to do anything about it.
When half of employees will happily take your corporate data when they quit their job, information security teams need to pay as much attention to the insider threat as much as they do outside attackers. When unmanaged, the productivity benefits of all those employee-owned mobile devices make it that much easier for insiders to walk out the door with your data, permanently.
Symantec recommends organizations consider these best practices to enable mobility, while mitigating the risks posed by insiders:
- Being cautious about mobility is okay; being resistant is not. Start embracing it. Organizations should take a proactive approach and carefully plan an effective mobile implementation strategy.
- Implement policies restricting how employees can access and share sensitive data. Developing and maintaining simple policies can be a powerful step to safeguard corporate data. Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.
- Understand that all data is not equal. For organizations looking for a route map to get them across the minefield that is the future of IT, understanding data, its importance and risks is a good a place to start.
- Educate employees. Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training. By maintaining oversight, you can ensure employees know how and when to use mobile devices and cloud services efficiently and securely.
- Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into what IP leaving your organization and how to prevent it from escaping your network. Deploy data loss prevention software to automatically notify managers and employees in real-time when sensitive information is inappropriately sent, copied or otherwise inappropriately exposed, which increases security awareness and deters theft.
To learn more about the findings from Symantec’s survey at the 2013 RSA Conference, visit: http://bit.ly/Y94d0T