Protection against insider risks works when the process involves controlling the data transfer channels or examining data sources.
One approach involves preventing USB flash drives from being copied or sending them over email. The second one concerns preventing leakage or fraud in which an insider accesses files or databases with harmful intentions.
What's the best way to protect your data?
It seems obvious that prevention is the best way to solve any problem. In most cases, DCAP (data-centric audit and protection) and DAM (database activity monitoring) is sufficient. Both serve the purpose of protecting data at rest.
The following example illustrates the approach we found in the Russian legal system.
An employee of the Federal Migration Service in one of the Russian regions was approached by his friend, who asked him to hide information about two offenses in his file in the migrant database. The employee knew that this could be done remotely, accessed the database from home, and blocked the necessary data. For doing this, he received a reward of a mere $100.
In order to prevent this incident from happening, it was enough for the manager to observe the employee accessing the database and performing unauthorized operations. A DAM solution would be helpful. Here you can browse more information about the DAM system tactics.
As an example of how the DCAP system detected fraud, here is a customer's case from SearchInform:
SearchInform FileAuditor identified several computers on which price lists were stored and where, in addition to selling prices, purchase prices were also listed. This information is confidential; it is prohibited to distribute it uncontrollably within or outside the company. If customers know the purchase prices, they will be armed with arguments and can negotiate the best discounts. There is clearly a loss for the seller.
The price column was typed in white, which made the price list appear like it was normal. In spite of this, FileAuditor acknowledged that the purchase price was definitely included in the document. Investigating the case using the DLP system, the cybersecurity specialist discovered that employees had forwarded these price lists to external email addresses. A subsequent investigation confirmed that there was collusion between the buyers and sellers.
This was classic scheming: the seller's manager agreed to a large discount for the buyer on any pretext he could think of. The buyer representative agreed to repay a portion of the difference to the seller's manager, who negotiated the discount.
So, both the seller and manager benefited, while the company selling lost money. In the event of a violation, it can take up to a year for the damage to be identified; depending on the size of the business, this damage can range from thousands up to millions of dollars.
It turns out that control of information sources enables an information security expert to detect an incident at its earliest stage - intention, rather than following up after it occurs. Tight control on such matters prohibits a more detailed investigation, which would allow evidence to be collected and conclusions drawn so that the incident wouldn't repeat itself. Here, the information security specialist has tightened DLP security policies on documents that include purchase prices.
Which is the best approach to data protection?
A complex approach. It's not possible to solve everything with DLP. Not everything is really dependent on control of the source. However, when combined, these approaches give a super-effect. When the DCAP system detects a potential violation, the DLP system gathers evidence and allows conclusions to be drawn on how to improve business processes and make them more transparent.
What are DCAP and DAM?
DCAP and DAM solutions are already on the market in mass quantities due to the need for data at rest protection. In addition, this software is easy to use and integrates with already popular security solutions.
You can use SearchInform FileAuditor to determine:
- which documents contain business-critical information,
- how much of this information is stored by the company and where it is located,
- who has access to them and can modify them.
It is possible for the IT department to take on such tasks. For instance, DCAP makes the file system less messy since each document is assigned a category (contracts, prices, personal data, research, etc.).
Probably not the most important feature, but shadow copying is a useful feature, which lets you restore documents without any problems if something goes wrong. As a first step, however, the software is intended for information security specialists.
Here's how FileAuditor works:
- searches for a file
- assesses its compliance with the rules and labels it ("personal data," "agreement," etc.)
- if necessary, copy a file to the repository.
- keeps track of all actions with files and folders
- reads permissions on files and folders
- at subsequent checks, only newly added or changed files are scanned.
This year, SearchInform also released its own database monitoring solution - SearchInform Database Monitor. A database is the main information asset of businesses, so it plays a critical role in their operations. Fraudsters are interested in both the entire array and specific access points to data. This threat can be handled using the DAM system; for example, the Database Monitor sees:
- Who is accessing the databases, and for what purpose?
- What information is requested from the database, and how much of it.
- What changes are being made to the databases?
In spite of the belief by many companies that they have sufficient control over their file systems and are certain that their users will adhere to corporate policies, our experience shows that some companies can treat sensitive information poorly, and some documents can be found at nonconforming locations.