The Connection Between Insider Threat and Data Loss Prevention

Courtesy of

Most enterprises rely on Data Loss Prevention (DLP) solutions to secure information, but they still can’t keep data from leaving the company. That’s because the solutions can’t properly monitor the digital activities of employees, privileged administrators and third-party users – insiders who all have access to critical data.

In this blog – the first in a three-part series that examines inside threat and the tools that can be used to stop it – we’ll look at the connection between the threats posed by insiders and data loss.

It’s not surprising that people make up 90% of security incidences, according to CERT Insider Threat Center. Organizations are recognizing this, and, in an attempt to reduce the risk, many have implemented traditional Data Loss Prevention (DLP) solutions to monitor communication channels (ports, protocols or storage locations) and prevent certain data from leaving the corporate perimeter based on pre-defined rules. For example, DLP could be configured to automatically remove or quarantine a spreadsheet saved to a file server if it contains PII or financial data.

While DLP aims to prevent data loss, it hasn’t been particularly effective monitoring modern cloud applications that increase access to sensitive information to boost worker productivity. Not to mention, DLP can’t distinguish inappropriate user behavior from legitimate user activity.

In addition, it’s become nearly impossible to maintain meaningful data exfiltration restrictions on what information should be leaving a company at a network level, and that’s because DLP solutions make decisions without business context. As a result, most DLP solutions barely restrict data from leaving a company because there’s a general fear of slowing down employee productivity.

Because DLP is far away from where data is created (applications), it often lacks the context and understanding of the user’s intention in order to make a reliable decision – for example, deciding whether or not a certain file should be quarantined or allowed. This lack of understanding usually negatively affects productivity for the employees who are unable to access the information they need to perform their job duties. Leaving the task of protecting your most valuable asset, your data, up to your employees is not a very smart move, either.

While some DLP solutions have adapted techniques such as sanitization and the full extraction of Social Security numbers and other sensitive data, they nonetheless require a significant amount of dedicated staff hours to continuously fine-tune rules and review alerts on a case-to-case basis. This fine-tuning can sometimes be a simple review of content that has been delayed from leaving.

Often in those instances, even if an end-user requests full content within email, someone else needs to evaluate why the user needs access in the first place. An example would be a human resources administrator sending an email with a PDF attachment to a new healthcare company. The PDF lists the plans employees intend to enroll in, but also necessary Personally Identifiable Information (PII) of employees – such as Social Security numbers – to set up the plan.

When you factor in the imperfect micro-decisions that determine whether the information should be sent, it’s not surprising to see why company data loss is at an all-time high. In fact, two out of three security incidents involve insiders, according to recent Ponemon Institute research. With so many users requiring regular access to sensitive data and companies’ needing to share information to maintain business continuity, massive amounts of sensitive data repeatedly bypass the DLP security layer, leaving enterprises operating under a false sense of security.

To effectively stop sensitive data from leaving a company, it’s critical to detect early indicators of risk and inappropriate insider behavior – actions such as employees talking to competitors or using co-worker logins.

Because DLP solutions aren’t looking for anomalous changes in user behavior that could signal the potential bypassing of security or the theft of sensitive data, they are left making on-the-fly calls as to whether or not data with no business context should be sent at a network level.

In the next blog, we’ll look at how the Insider Threat Chain serves as a roadmap that organizations can use to monitor risk and potential fraud and theft.

Leave a Reply