When it comes to data security, a lot of attention is paid to keeping a company – and especially its website – secure from external threats. Whether they’re cases of industrial espionage or just a probe from a bored hacker, cases where companies’ external security measures are compromised tend to draw big headlines. However, a much more immediate threat to companies sometimes comes from within – after all, no amount of guarding the perimeter will prevent the threat of internal leaks.
“Defending against external attack is generally accepted as not being the sole defence,” says Jon Penney, CEO of data security firm Intellect. While external threats to data security are very real, they are no more significant than the internal threats that can affect any company. Penney refers to the Verizon data breach investigations report (DBIR), an annual study which the telecommunications company produces on leaked data. This year, the survey identified 855 incidents, which entailed the leakage of 174m records.
However, of all of this leaked data 94% originated from secured file servers; only 1% originated from data kept on unsecured laptops and peripherals. Despite this 75% of the average company’s IT spend goes on securing their perimeter. “Clearly when you look at these metrics and statistics from Verizon, when 94% of data being compromised involve servers inside the perimeter, that expenditure is out of kilter,” he explains. “It’s not protecting them from these threats.”
Internal threats to companies’ data generally come in two forms: benign and malicious. “Certainly with the well-meaning insider compromising large quantities of data, it’s usually somebody within the business unit requesting a report of some sorts,” says Penney. Sometimes the information that is outputted contains confidential data and while this isn’t a problem in itself, the data is often then saved in an encrypted form in an unprotected area of the network. “So you’ve gone from well-protected environment of potential database to storing it somewhere outside of that protected zone,” he remarks. “All of a sudden, you’ve really compromised any effort to effectively protect the data in the first place by extracting it and leaving it somewhere else.”
The other end of the spectrum is often someone with a high level of clearance who intentionally compromises data for their own ends. “This is the privileged user, the database administrator, who has either been compromised externally and is being paid to collect this information or who is disgruntled and decides to take a dump of the entire database,” Penney says. Potential threats can come from anywhere between these two extremes and, while an organisation can do its best to introduce an organisational culture that discourages either of these scenarios, it’s impossible to entirely guarantee that neither scenario will occur.
At first it’s hard to see why organisations are struggling to cope with these issues without taking a look at how the environment of data security has changed. For a company such as StarBase, the performance testing consultancy, the security of their clients’ data is of utmost importance to their core business, and yet they find a lot of their customers still don’t understand the security issues raised by new technologies such as cloud hosting. “People are not considering the security aspects of it,” comments Stephen Davis, managing director at StarBase. “If you’re trying to transact business, hosting private and personal data, people haven’t really thought through the ramifications of having that data on servers they don’t own and servers they haven’t built.”
Another issue he has found his clients encounter is the move towards ‘bring your own device to work’ policies. “You go to any business meeting and there’s always a few people with iPads,” comments Davis. “People are tapping away because they want to type their notes straight in and you know that’s going to be uploaded somewhere.” StarBase tends to focus on working with Fortune 500 companies and he’s noticed it’s become a real trend that many of the senior managers and directors are wanting to use their own devices. “A genuine security issue is how you can ensure people have appropriate security levels on their own devices.”
And Intellect’s Penney feels this is the problem. “We live in this borderless digital world now,” he remarks. “The data is no longer contained within the confines of our four walls if we’re a typical organisation.” This is why security policies that focus on building a wall around the edge of a company’s network are failing to prevent threats to their data; the boundaries have shifted to the extent that there are many ways the data can leave the traditional network. “Putting a moat around the castle is no longer effective because the data, the assets, sit outside of that environment,” Penney explains.
Which poses something of a problem. If you can’t guard the gates then what chance do you have of protecting all of your valuables? “For an organisation’s security posture to be positive, it’s got to follow the lifecycle of the data,” Penney comments. “Data typically doesn’t stay in one place.” While organisations still need security measures focused on protecting the perimeter, security also depends upon using protection that is fluid and there are plenty of security organisations such as Intellect that utilise the various packages needed to keep data safe, no matter where it travels in your network. As Penney concludes: “In essence, an organisation has to focus on protecting and securing the data – wherever it may be.”