Data protection is an important consideration for any enterprise. The simplest reason for this is that lost data could mean embarrassment for the company or having to scrap an R&D project – which would most likely affect bonuses. Many organizations live or die by the sensitive data in their possession and need to take the necessary steps to protect it.
With the emergence of new data security and privacy regulations like the EU’s General Data Privacy Regulation (GDPR), the stakes are higher. GDPR protects your customer’s personal data (if they’re EU citizens) and has a pretty wide definition of what “personal data” means. A breach of any Personally Identifiable Information (PII) that would allow a customer to be uniquely identified is considered a breach.
And breaches are expensive under GDPR. You’re looking at up to 4% of global revenue or €20 million, whichever is higher (not to mention civil or criminal charges). Smaller mistakes can carry smaller penalties. Forgot to maintain a critical record? Losing 2% of global revenue may help your memory in the future.
Most organizations’ cybersecurity defense strategy is focused on intentional breaches. Most hackers are outside the organization and are trying to break in. Perimeter-focused defenses like a firewall are great for dealing with this since they are designed to keep the threat outside of the organization’s “walls”.
But what about data breaches that originate inside the organization? One potential threat is a malicious insider, where a disgruntled employee or infiltrator sabotages the organization. However, most organizations (hopefully) don’t have to deal with this. A significant (and more common) threat is the data breach caused accidentally by an employee.
The Accidental Data Breach
When talking about data breaches, most people think of a hacker breaking into an organization, stealing data and releasing it on the Internet. However, the key part of that scenario is the fact that the sensitive data gets out to the public. It doesn’t matter if the reason is a hacker breaking in or an employee leaving the data somewhere where it could be publicly accessed or stolen.
Unfortunately, employee-caused data breaches are a significant and common threat to organizations. A study found that 47% of companies have experienced an employee-caused data breach. Since most security is designed to separate “inside” from “outside” and employees are already “inside”, these types of breaches are more difficult to defend against.
Accidental breaches can happen in a variety of different ways. One of the most common is spear phishing attacks. If an employee receives a phishing email pretending to be from the CEO and believes that it’s authentic, they’re probably going to do whatever the email tells them to do (or risk being fired). These emails could request payment of a fake invoice, ask for sensitive customer data, or try to collect internal sensitive information (trade secrets, employee W-2s, etc.). These Business Email Compromise (BEC) attacks are a significant threat to organizations. The FBI estimates that the cost of BEC attacks between October 2013 and July 2018 was $12.5 billion and is still growing.
Role Separation and Need to Know
When dealing with the potential for an accidental data breach, managing your organization’s threat surface is the best way to do so. Perimeter-based defenses like Data Loss Prevention (DLP) can help detect and prevent some types of accidental leakages but not others. Carrying out data on a USB drive and losing it isn’t something that perimeter-based defenses can catch (but it can certainly hurt your business). The best way to limit your organization’s risk of an accidental breach of sensitive data is limiting the amount of access and control that any employee has over the data. This is where “need to know” and role separation come in.
Need to know is pretty self-explanatory. If an individual doesn’t have a legitimate business need to access certain data, they shouldn’t have access to it. You can’t breach sensitive data that you don’t have. Access control policies can be easily managed and enforced by software, allowing access to be given or denied as situations change.
Role separation prevents an individual from taking potentially dangerous actions on their own. For example, the ability to access employee tax information like W-2s (which can be extremely valuable to an attacker) may require the approval of two employees in the Human Resources department. As a result, it would be more difficult for an attacker to pull off a successful phishing attack since they would be required to fool at least two employees in the organization.
Preventing Accidental Breaches
The threat of a potential data breach is a significant one for any organization that stores, processes, or transmits sensitive data. Regulatory bodies like the EU have demonstrated that they’re focused on ensuring the privacy of the consumer and more than willing to bring down the hammer on anyone who doesn’t want to play ball.
When dealing with the threat of a data breach, it’s important to think of all potential causes and attack vectors. Traditional cybersecurity defenses that keep out the hackers are great, but they don’t prevent the “oops” type of breach caused by employee negligence. Preventing this type of breach requires a different strategy since the “threat” is already inside your defenses. By enforcing the need to know and role-based access control and requiring role separation for important actions, you can decrease the probability that a moment of absentmindedness by an employee will cause your organization millions.