contributed by Grant Hegerberg, WatchGuard Technologies
It is rational that not all data loss from within an organization is malicious. In fact, in most cases data loss is the result of common mistakes that employees make. To understand the risks to our confidential data by employees, it is important to understand common risky behavior, as well as common errors that employees make that heighten the risk of data loss and spur the need for data loss prevention.
Sending Confidential Documents to Personal Email Addresses
Many of us are guilty of this. Rather than take home our company‐issued laptops to work on a document that contains sensitive data, we send the document to our personal email account, like Hotmail or Gmail, intending to work on it when we have a moment over the weekend. The issue here is that this behavior poses a high risk to the confidential data being transmitted because these types of applications do not use the same security standards or email encryption that have been implemented throughout company email networks. Although you may have stringent policies on what can be sent via email, if you do not have the same protection in place across web, then this sensitive information may be at risk as it passes through mostly unmonitored waypoints.
With all of the automation and new features being introduced in business communications tools and applications today, the likeliness of human error as a threat vector has never been higher. For example, if you consider the Microsoft Outlook AutoComplete Email Address feature whereby the system populates the “To” field in an email by detecting the first few letters input by the sender and populating it with the first name that matches, unless the employee is diligent to ensure that the recipient address is a match, sensitive data can end up in the wrong hands.
Unauthorized Sharing of Corporate Computer Resources
Many employees bring their company‐issued laptops home and share the devices with friends and family members. Occasionally, an employee, in an effort to provide guidance or mentoring to a friend, may even share a document with a personal contact to provide a sample template. Or, on the flip side, an employee may share a confidential document with a friend to get some brainstorming ideas. Consider a third scenario whereby employees do not lock their desktops when leaving their desks, leaving sensitive information exposed should someone access the employee’s computer. Although not malicious in nature, this type of behavior is another example of common root causes of unintentional data loss.
Abuse of System Access and Privileges
System access can be used for any number of malicious tactics by employees, but it also accounts for 46% of data breaches. This involves the malicious use of information assets to which an employee is granted access. Even more alarming is that 51% of data breaches that originate from internal sources are originated from regular employees (see chart at right).
These are just some examples of risky employee behavior that contribute to the likelihood of unauthorized data loss. Now, more than ever, companies have to be diligent at not only creating a strong data loss prevention policy management program, but implementing and monitoring it to identify violations and security gaps.
Organizations owe it to themselves and their customers to keep information from falling into the wrong hands. At the same time they need to ensure that legitimate business processes and communications are not hindered.
An effective data loss prevention (DLP) solution can accomplish this by providing the ability for compliance and policy officers to create granular outbound policies by user, group or domain. Different people have varying roles and responsibilities; having a DLP solution that recognizes this and enforces appropriate, user‐ or group‐level policies while not hindering the regular course of business is imperative.