Insider data breaches: Whose responsibility is it? (Part 2)
In Part 1 of this blog, we discussed the critical nature of the insider data breach as well as its distinct origins. We left it in a very scary place, a place where most corporations and agencies find themselves today. Security teams and data teams don’t have the answers or the ownership to address this problem head on.
So we return to our original question: Whose responsibility is it to protect our personal and valued information against insider threats? Who is accountable for protecting Social Security numbers, banking information, healthcare records, top secret government databases and intelligence files?
I would argue that this is a business problem. It is a problem that must be understood and identified by the business owners—that is, by the executives in charge of the business units and in charge of IT. The officers of the corporation or government agency. It is incumbent upon these executive-level business owners, decision makers and policy creators to understand and treat the threat of an insider breach as a very real, clear and present danger that is growing worse over time. Understanding the threat and assigning policy and resources is the first step in securing the data environment and preventing the breach.
The business owners must then ensure that those resources—the data administrators and security teams—are enabled to take action on the policy. This requires the business owners and CIO to come together with the data administrators and networking and IA teams to share their knowledge of what makes the business tick. What are the crown jewels of data and information? What data assets can the business not afford to be breached, stolen, leaked or destroyed? What are the worst possible outcomes if something is breached, leaked or stolen? It is a mutual responsibility that must be owned and driven from the top down so that all three of these critical team members can participate.
This effort also requires IT team members to put aside their personal biases. We’ve all seen or dealt with IA team members or database owners who think that their current security measures are “good enough.” This type of attitude must be checked at the door during these business meetings. In order to combat and prevent an insider threat, you must think like a bad guy and assume that an insider threat already exists. Accept and acknowledge that your data is not safe with the current measures in place.
Finally, these resources must execute. Execution means putting in place the right policies and tools to secure the data from even the most sophisticated of insider threats. The policy must have both corporate and financial support. With regard to selecting the right tools, there are solutions on the market today that go beyond the measure of traditional perimeter security, logging and analytics. These solutions protect the data and the access to the data utilizing measures that traditional intrusion prevention, detection and authentication systems simply do not offer.
One such solution comes from Vormetric Data Security. These folks offer non-traditional, next-generation data security solutions for the business owner, data owner and cyber warrior. The Vormetric solution addresses industry compliance mandates and government regulations by securing data in physical, virtual and cloud infrastructures through Data Encryption, Key Management, Access Policies, Privileged User Control, and Security Intelligence.
With solutions like this, executives setting policy and putting a stake in the ground to stand against insider threats and data breaches can be assured that successful execution of such policies is achievable. It all starts with assigning ownership to deal with the issue. The data breach explosion can be stopped.
If you’d like to learn more about insider threats or the Vormetric Data Security solutions, please contact SwishData. You can also check out the short video drama, “Hacked: the series,” to learn how such an attack might be orchestrated. “Hacked” tells the story of a federal employee who gets caught up in a data breach that has dire consequences for his agency, his family and himself.