Insider threats – an issue that endangers sensitive company data. While many businesses focus on protecting themselves from external dangers, incidents triggered by employees make up more than half of data loss cases. Richard Brulík, CEO of Safetica, which offers Data Loss Prevention (DLP) solutions, introduces the phenomenon of insider threats in detail.
Without a DLP solution, data leaks take months to uncover
Safetica is a DLP vendor focusing mainly on insider threats. What do such threats usually look like?
Companies can generally encounter three distinct types of insider threats. Firstly, employees leaving the company may attempt to take sensitive data of their former employer with them. They do so either because they believe they can use the data in their new job or because they intend to harm their past employer by using it against them. A second typical example of an insider threat is when a current employee shares sensitive data through inappropriate channels (e.g., public cloud storage) due to their lack of knowledge or simply by mistake. Lastly, while the third type is often classified as an insider threat, the danger originates outside the company. In this case, a malicious actor can steal the login credentials of an employee and access sensitive or confidential data stored on the company’s network.
Can you share any specific cases that you have encountered?
Let me start with the first type I’ve mentioned. I can remember the case of a luxury brand car importer that decided to hire a new trader. The new employee came to the management with sensitive data from their past job, including the names of clients approaching the end of their car lease. This was an opportunity for the importer to contact these potential customers and offer them better solutions than the competitors. And since these are luxury cars, we are talking about large sums of money. However, the management soon realised that the same situation could quickly happen to them, which motivated them to protect their data better. After they started cooperating with Safetica, we discovered that one of their former employees had also stolen their data in the same manner as the newly hired trader. We quickly implemented a solution for them that strictly limited access to sensitive data and its usage.
You needed to respond swiftly.
Yes, because, when a company has no DLP solution, 68% of data breaches take months to discover. Also, the business usually takes nearly three months (85 days) to contain an insider incident. That is a huge issue – when you only uncover data loss after several months, the damage has already been done. In addition, companies often find out about the data leak from their competitors, which is never pleasant. I can recall the case of a Czech engineering company that was looking for a Chinese subcontractor. As a part of the process, one potential Chinese partner sent their models of transmissions to a Polish business. As soon as they saw the samples, they knew that the product was identical to that of their main Polish competitors. They were sure that the rival firm hadn’t cooperated with the Chinese business, so it was an instance of a data leak. Immediately following the incident, the Polish firm notified their competitors about the issue and immediately searched for a DLP solution to protect their business from a similar situation.
What about the second type of insider threat – sharing sensitive data through inappropriate channels?
I can mention the case of an accountant from one firm that will remain unnamed. When asked to create a document summarising the company’s bills, she was unsure how to send it to her employer. Since the file was too large to share via e-mail, she put it on a public cloud storage app without using any passwords, encryption, or other protection. Even from the document’s name, it was obvious that it contained sensitive data. As a result, unfamiliar persons were also able to download the file. This issue did not begin with a malicious intention – the accountant wasn’t educated about safely handling and sharing data via secure channels.
A DLP solution should encourage productivity, not prevent it
What are the main reasons behind insider threats? Can they be prevented?
There are several steps companies can take to protect their data better. First off, employers should educate their employees on the topic of data security. We need to realise that data loss is often unintentional. For example, employees want to send some documents to their colleagues, and, since they have not been informed about the most secure method, they end up endangering business-sensitive data – just as the accountant mentioned in my example. This frequently happened at the beginning of the pandemic, when people needed to work from home, and they o and often received no instruction on how to roam their offices to their remote working spaces. Each company needs to clarify their data protection policy, specify safe and unsafe processes (such as putting documents on a USB flash drive), and carefully distribute data access among employees. Finally, one of the best protections is finding a DLP solution that works for your company and protects your data. It is always essential that the security policy and the DLP solution do not intervene with employees’ productivity. If each worker needed authorisation from multiple people to complete a simple work process, the company could not function.
Are companies aware of the risk of insider threats?
It is getting better. Not so long ago, businesses mainly concentrated on potential threats coming from the outside, and they always started their security journey by implementing a firewall and antivirus software. There is nothing wrong with that; companies need to protect themselves from outsider threats! But insider threats should not be overlooked or underestimated. Most data loss incidents happen due to insider threats. Nowadays, especially in some countries – such as the Netherlands or the UK – the debate is focused on how DLP solutions and protection against outsider threats coexist. Companies in these countries often opt for a layered security system, taking their solutions from multiple providers. In combination, the various security solutions can create a system of protection that is difficult to penetrate. In Europe, we can see significant progress, mainly due to GDPR. The regulation forced companies to look closely at risks to their data. When we meet a potential customer, we no longer have to explain the basics of data protection – they already know that some data is susceptible and, consequently, needs thorough protection.
Human-centric rather than data-centric approach
The popularity of DLP solutions is on the rise. Do you know why?
Last year, Safetica grew by 51%, and the year before that, it was about 40%. As for the broader DLP solution market is growing by about 15–20% per year. That means we are growing faster than the DLP market itself. The DLP market is growing very fast compared to other industries, and there are three main reasons for that. Firstly, some regulations push companies toward better data safety, such as the GDPR above. Secondly, the amount of digital information processed by companies is getting larger. As a result, if data remains unsecured, an immense amount of information can be easily stolen, leaked, or used by companies to destroy their competitors. Lastly, the growth of remote or hybrid work modes forced companies to protect their data more thoroughly, as their information travels at much higher volumes between offices and the employees’ homes, where workers may be connecting to less-secure internet networks.
With outsider threats, we see the continuous development and steadily more sophisticated attacks. Is the situation similar to insider threats?
I would not say that insider threats are getting more sophisticated. Instead, the work environment is evolving. New email clients are developed, and mobile devices are more commonly used. These changes can make insider threats more common because data is now more frequently consumed on the move. The spaces where information is stored are continually broadening, so to say. This is also why we no longer focus solely on data points or individual devices but the client or the user and their behaviour on various platforms. Our approach is changing from data-centric to human-centric. There is also a new trend we can observe in DLP solution choices. Nowadays, many companies choose SaaS products rather than perpetual products. This is why Safetica recently introduced a new SaaS service, Safetica NXT, which is both economically and practically convenient, protecting businesses while employers can avoid being vendor-bound.
About Richard Brulík, the CEO of Safetica
Richard Brulík has been active in technology for the past 20 years. Previously, he worked for Y Soft and Kentico Software, primarily responsible for global sales, marketing activities, and people management. Since May 2020, Richard has been the CEO of Safetica, a DLP solution provider that focuses mainly on insider threats. Richard emphasises the importance of employee education and a human-centric approach when discussing data security. “By focusing on individuals and their actions, Safetica can spot dangers that could be overlooked by other protection software, including antivirus software,” Richard explains. Safetica continues to expand, build its global customer base, and develop new products, including SaaS solutions.