Today, technology advances have made it possible for businesses to capture an increasing amount of customer data from contact information to behavioral patterns. Businesses the world over now leverage this data to help make strategic business decisions ranging from adjustments to their service offerings to their marketing strategy.
Consumer data: Asset or Liability?
While such consumer data analysis has become an integral part of many businesses, many are questioning whether gathering such large amounts of consumer data is really an asset and are organizations adequately prepared to protect this asset. Steve Shoaff, CEO and Co-Founder of UnboundId, an adviser on identity and security issues for Global 100 companies, expressed concern about the way companies are managing this data, “Big Data and other enterprise data management efforts are trying to enable fast, easy consumption of customer data assets to drive better customer engagement and experience. However, soft controls on how data is leveraged inside an organization and free access to customer data assets risk turning a valuable asset into a dangerous liability”.
His concern is backed by hard data. Over 502 million records of data were reported exposed in 1331 incidents of security breach in the first half of 2014, averaging a direct organizational cost of $5.4 million. The cost of a single such data record breach is estimated at an average of $194 in the United States and an additional $30 per customer to inform of the breach. The indirect costs of the negative impact on the brand image are harder to quantify.
Is The Greatest Threat from Insiders?
Companies are investing heavily in technology such as encryption, firewalls, anti-virus, anti-phishing software and IT staff, yet, like Shoaff mentioned, soft controls on the way the data is accessed and managed may actually leave them vulnerable from
within the organization. Human error is often the weakest link in the chain. T&M Protection Resources is a global provider security services to the commercial sectors and also a provider to the federal government and US military. Jeffrey Bernstein, Managing Director, shared with Global Delivery Report, “At a high-level, it is accurate to say that any effective enterprise security program should take areas into consideration: people, process and technology. Many organizations have invested heavily in the latest security technologies. They’ve also developed and implemented policies and procedures that help them to operate efficiently and meet legal and regulatory requirements. Yet losses to security breaches for these same organizations continue to grow each year. This is because the problem is not as much with the security technologies utilized or the processes that they have in place, as it is with the lack of security savvy among internal users.”
Give [customers] insight into what data you have about them. This will not only de-risk your leveraging customer data but also built a more trusted brand relationship yielding enhanced engagement and revenue over time. -Shoaff
Bernstein, recently delivered a series of presentations about the security threat from insiders at the New York Metro Joint Cyber-Security Conference. Sharing some insights from his presentation, he indicated, “All too often security breaches are caused by users doing something that they shouldn’t do like clicking a malicious link in an email, opening an email attachment, using weak passwords, losing laptops or phones with confidential data, or being tricked into giving up their passwords through social engineering attacks. I’ve also seen this first-hand as our firm provides post-breach incident response and forensics investigations. Getting end-users to properly identify and respond to security threats is one of the most significant challenges facing organizations today.”
A report by MeriTalk shows that 49% of security breaches at federal agencies are caused by employees bypassing security measures. Forrester’s analysis of data security and privacy with B2B vendors and end users found that 36% of breaches stem from inadvertent misuse of data by employees. If trusted, well-meaning insiders can cause such damage, a determined, malicious insider can be even more dangerous. According to a report by Breach Level Index, malicious insiders were responsible for 52% of the total number of data records breached in the first quarter of 2014.
Mitigating Insider Threats
An important first step towards mitigating the risk of inadvertent insider breach is to identify common mistakes employees make and train them accordingly. Per the Forrester report, 57% of employees stated they were not even aware of their organization’s current security policies. A Cisco survey identified that the common risks which put corporate data at risk to are primarily unauthorized application use, misuse of corporate computers, unauthorized physical and network access and misuse of passwords. In fact, almost three-quarters of insiders had authorized access to the information stolen at the time of the theft.
To handle such issues, Shoaff advices “Put in the proper controls over how data is consumed. A broker layer sitting between your application tier and federated/unified data layer which enforces what data these applications can leverage is absolutely key. This is the new frontier in security: focusing on what an application can access in addition to who can access an application. For customer centric organizations, let your customer have some control. Capture their explicit choices and preferences over how their data is leveraged. Give them insight into what data you have about them. This will not only de-risk your leveraging customer data but also built a more trusted brand relationship yielding enhanced engagement and revenue over time.”
Edward Kiledjian, Chief Information Security Officer of Bombardier Aerospace and security evangelist for over 20 years, has a different take on the matter. He advises focusing on data protection instead. He shared, “Insider threats are very real but not the biggest concern
for most organizations (as recent breaches demonstrate). Data classification is a critical activity many companies haven’t performed. It is only through proper data classification that an organization can apply importance ratings to each piece of information and then implement the required controls to protect it. You don’t want to protect a $10 bill with a $1000 safe”.
Bernstein concluded with the advice, “Most modern day security programs focus on people, process and technology. A determined trusted insider with malicious intent can circumvent the controls around all three. Many corporate security policies and procedures, technologies and training programs have yet to be updated to address this threat. For this reason, organizations must be vigilant about this threat and raise awareness internally.”
Headline Photo Courtesy Antranias, Pixabay