Insider threats – an issue that endangers sensitive company data. While many businesses focus on protecting themselves from external dangers, incidents triggered by employees make up more than half of data loss cases. Richard Brulík, CEO of Safetica, which offers Data Loss Prevention (DLP) solutions, introduces the phenomenon of insider threats in detail.
Without a DLP solution, data leaks take months to uncover
Safetica is a DLP vendor focusing mainly on insider threats. What do such threats usually look like?
Companies can generally encounter three distinct types of insider threats. Firstly, employees who are leaving the company may attempt to take sensitive data of their former employer with them. They do so either because they believe that they can use the data in their new job, or because they intend to harm their past employer by using the data against them. A second common example of an insider threat is when a current employee shares sensitive data through inappropriate channels (e.g., public cloud storage), be it due to their lack of knowledge, or simply by mistake. Lastly, while the third type is often classified as an insider threat, the danger actually originates outside the company. In this case, a malicious actor can steal the login credentials of an employee and access sensitive or confidential data stored on the company’s network.
Can you share any specific cases that you have encountered?
Let me start with the first type I’ve mentioned. I can remember the case of a luxury brand car importer that decided to hire a new trader. The new employee came to the management with sensitive data from their past job, which included names of clients who were approaching the end of their car lease. This was an opportunity for the importer to contact these potential customers and offer them better solutions than the competitors. And since these are luxury cars, we are talking about large sums of money. However, the management soon realised that the same situation could easily happen to them as well, which motivated them to protect their data better. After they started cooperating with Safetica, we found out that one of their former employees had also stolen their data in the same manner as the newly hired trader. Very quickly, we managed to implement a solution for them that strictly limited access to sensitive data and its usage.
You needed to respond swiftly.
Yes, because, when a company has no DLP solution, 68% of data breaches take months to discover. Also, it usually takes nearly three months (85 days) for a business to contain an insider incident. That is a huge issue – when you only uncover data loss after several months, the damage has already been done. In addition, companies often find out about the data leak from their competitors, which is never pleasant. I can recall the case of a Czech engineering company that was looking for a Chinese subcontractor. As a part of the process, one potential Chinese partner sent their models of transmissions to a Polish business. As soon as they saw the samples, they knew that the product was identical to that of one of their main Polish competitors. They were sure that the rival firm hadn’t cooperated with the Chinese business, so it was clearly an instance of data leak. Immediately following the incident, the Polish firm notified their competitors about the issue and immediately searched for a DLP solution that would protect their business from a similar situation.
What about the second type of insider threats – sharing sensitive data through inappropriate channels?
I can mention the case of an accountant from one firm that will remain unnamed. When she was asked to create a document summarising the company’s bills, she was unsure of how to send it to her employer. Since the file was too large to share via e-mail, she decided to put it on a public cloud storage app without using any passwords, encryption, or other protection. Even from the name of the document, it was obvious that it contained sensitive data. As a result, unfamiliar persons were also able to download the file. This issue did not begin with a malicious intention – the accountant simply wasn’t educated about handling data safely and sharing it via secure channels.
A DLP solution should encourage productivity, not prevent it
What are the main reasons behind insider threats? Can they be prevented?
There are several steps companies can take to protect their data better. First off, employers should educate their employees on the topic of data security. We need to realise that data loss is often unintentional. For example, employees just want to send some documents to their colleagues, and, since they have not been informed about the most secure method of doing so, they end up endangering business-sensitive data – just as the accountant mentioned in my example. This happened frequently in the beginning of the pandemic when people needed to work from home, and they often received no instruction as to how they should move data from their offices to their remote working spaces. Each company needs to clarify their data protection policy, specify safe and unsafe processes (such as putting any documents on a USB flash drive), and carefully distribute data access among employees. Finally, one of the best protections is finding a DLP solution that works for your company and protects your data. It is always essential that the security policy and the DLP solution do not intervene with the productivity of employees – if each worker needed authorisation from multiple people to complete a simple work process, the company could not function.
Are companies aware of the risk of insider threats?
It is getting better. Not so long ago, businesses mainly concentrated on potential threats coming from the outside, and they always started their security journey by implementing a firewall and an antivirus software. There is nothing wrong with that; of course, companies need to protect themselves from outsider threats! But insider threats should not be overlooked or underestimated – in fact, most data loss incidents happen due to insider threats. Nowadays, especially in some countries – such as the Netherlands or the UK – the debate is focused on how DLP solutions and protection against outsider threats coexist. Companies in these countries often opt for a layered security system, taking their solutions from multiple providers. In combination, the various security solutions can create a system of protection that is difficult to penetrate. In Europe, we can see significant progress, a result largely due to GDPR. The regulation forced companies to look closely at risks to their data. Now, when we meet a potential customer, we no longer have to explain the basics of data protection – they already know that some data is especially sensitive and, consequently, needs thorough protection.
Human-centric rather than data-centric approach
The popularity of DLP solutions is on the rise. Do you know why?
Last year, Safetica grew by 51%, and the year before that, it was about 40%. As for the wider DLP solution market, it is growing by about 15–20% per year. That means we are growing faster than the DLP market itself. Anyway, the DLP market is growing very fast when compared to other industries, and there are three main reasons for that. Firstly, there are regulations that push companies toward a better data safety, such as the aforementioned GDPR. Secondly, the amount of digital information processed by companies is getting larger. As a result, if data remains unsecured, there is an immense amount of information that can be easily stolen, leaked, or used by companies to destroy their competitors. Lastly, growth of remote or hybrid work modes forced companies to protect their data more thoroughly, as their information now travels at much higher volumes between offices and the employees’ homes, where the workers may be connecting to less-secure internet networks.
With outsider threats, we see the continuous development and steadily more sophisticated attacks. Is the situation similar with insider threats?
I would not say that insider threats are getting more sophisticated. Rather, the work environment is evolving. New email clients are developed, and mobile devices are more commonly used. All these changes can make insider threats more common because data is now more frequently consumed on the move. The spaces where data is stored are continually broadening, so to say. This is also why we no longer focus solely on data points or individual devices, but, rather, on the client or the user, and their behaviour on various platforms. Our approach is basically changing from data-centric to human-centric. There is also a new trend we can observe with regard to DLP solution choices. Nowadays, many companies choose SaaS products rather than perpetual products. This is why Safetica recently introduced a new SaaS service, Safetica NXT, which is both economically and practically convenient, protecting businesses while employers can avoid being vendor-bound.
About Richard Brulík, the CEO of Safetica
Richard Brulík has been active in the field of technology for the past 20 years. Previously, he worked for Y Soft and Kentico Software, where he was mostly responsible for global sales, marketing activities, and people management. Since May 2020, Richard has been the CEO of Safetica, a DLP solution provider that focuses mainly on insider threats. When speaking of data security, Richard emphasises the importance of employee education and a human-centric approach. “By focusing on individuals and their actions, Safetica can spot dangers that could be overlooked by other protection software, including antivirus software,” Richard explains. As of now, Safetica continues to expand, build its global customer base, and develop new products, including SaaS solutions.