The rapid shift to remote work during the global pandemic has increased data security risk in organizations and provided new opportunities for data exfiltration.
Data is more portable than ever, exposing gaps, because employees are more mobile than ever—now and into the future.
Four expert panelists joined us to discuss data security through the lenses of insider threat, third-party risk, and remote work challenges on our series of SecureWorld Web Conferences for 90 minutes of Q&A.
Below is a summary of the webcast; however, be sure to check out the full episode, which is available on demand.
Who are the data security panelists?
- Jadee Hanson, CISO & CIO, Code42
- Jake Bernstein, Esq. Attorney-at-Law, Focal
- Benjamin Brooks, Adjunct Professor, Retired U.S. Navy
- Arif Hameed, Sr. Director of Client Security, Equifax Canada
How has data security changed from the Insider Threat?
"As a practitioner myself, I think we have tried to address the insider risk in a number of different ways, primarily data loss protection technology…. I think many of us can agree that this has not really worked," Hanson said.
However, her team devised a new strategy around work from home:
"Within eight days [during the pandemic] we actually launched a remote worker view to help the security analyst team really identify who's at the highest risk for actual trading data, because the mindset does change.
When you are in the office, whether it's an actual thing happening or not, you feel like people are watching. When you are at home, you don't feel that, so people do feel a little bit more entitled to pull information off their work machine, or share things in a certain way.
For us, fortunately, the agent sits on the endpoint, so we are watching all that activity at any time regardless of where they are. So, we can see when certain files move and where they go, and then we can react soon after that.
We [Code42] do a research report each year, and part of that research we found that 66% of breaches over the past year have been tied to inside jobs. We only spend about 10% of our security budgets directly tied to addressing insider threats, so we see this as a really big problem, and we see that the market is also changing to make it even a bigger problem."
Those market changes include:
1. We all have Gen Y / Gen Z workers in our environment, and their work expectations are very different.
2. We have a lot more employee turnover than we probably had in the past.
3. More contract workers are in the workforce.
4. We also have this rise in need for collaboration technology in each of our environments.
How has data risk changed since COVID-19 and work from home?
"Fortunately for us, we are a very cloud first company," Hanson said. "Almost every solution we leverage from a business perspective is a SAAS solution, which is fantastic for us, and works well in this work from home situation.
We spent a lot of time focusing on Zero-Trust, as well as getting rid of the network, and really focusing on the endpoint…. With every change we have to stay nimble… so one of the things that we did right away… was a brain storming threat assessment to really address what we are seeing change in our space.
Certainly, we saw a lot more phishing than we ever had, and we saw a lot more adversarial activity. So, we put together an overview; what are the new risks that we need to be worried about, and almost a mini action plan for each.
It's not really our jobs to secure home networks, but… all of those home setups have now put our company at risk. We took the time to develop tips and tricks, guidelines for setting up home systems, and our help desk ended up actually helping out doing the setup for some people in the company."
Said Hameed: "In addition to the secure home setups and phishing, the other thing I would note is entitlement…. With work from home, a lot of people were sending in requests for access to systems they may not need, as well as additional entitlement requests for work from home for those who didn't have it.
The other aspect to look at is a lot of people may have had access to a number of things that were a little bit excessive. So that manager access review is really important to ensure people have the right level of access.
I was really surprised a lot of companies were able to increase their capacity. A lot of companies were at maybe 25-30% of the seats available for work-from-home, and now in this new environment you are close to 95-100% work-from-home. That change for a lot of companies was easy. Also, the ISP providers, especially in Canada and most of the states, you didn't hear about big outages, which was surprising and really good."
How do you prevent employee theft of IP amid remote work and downsizing?
"This has always been a problem, whether we are remote or not," said Bernstein.
"Employee contracts, and employment agreements… need to make it very clear that 'thou shalt not steal our IP.' Now, you might think that's kinda silly, but here's what I mean, in order to take legal action against an employee who has stolen IP, or who may have stolen IP, you have to lay out expectations. You have to lay out clear access privileges, access rights, because… one of your tools is the Computer Fraud and Abuse Act, which is a federal law, so it can be applied in all 50 states, plus D.C.
In order to use that, you need to be able to show that someone exceeded their authorized access to a protected computer system… which boils down to, 'did they do something they knew they shouldn’t have?'"
According to Hameed: "Along with the legal repercussions that were noted, I would add to mitigate this risk, there are a number of controls that can be implemented:
- Some companies are allowing local printing; that is something I would advise against. Unless there is a need for it, it can be disabled.
- USB ports that are open should be locked down.
- Consider additional monitoring on the endpoint, especially around email.
- Carefully monitor those giving notice or being let go; that's a point where people may take data they should not be taking.
- Most companies have everything logged, but active monitoring needs to be in place. At least you have the detective control if you can't prevent it."
Hanson shared: "One of the things that we try to do, and we actually recommend this to our customers, is we have a really open and transparent insider threat program. At the end of the day, if you are pitching it in a way where it's protecting the company, people should accept it, and I know that's a tricky thing to do.
One of the things that I typically share [with new employees] is our entire insider threat program, and I do this for a number of reasons. One, I want to assume positive intent, and I don't want to assume that the people that work for the company are trying to steal IP, but I also do it as a deterrent. I share what we are doing and monitoring. I make sure it's not adversarial and they know what our job is and that we are trying to protect the company."
Which controls help most as you go from network-centric to data-centric security?
According to Brooks: "Generally, what the right solution is, and what we've found, is using a combination of technologies, tools, strategies, and education to build out the program as the organization sees fit.
For those information assets sitting on a clearly defined network, more traditional information security approaches can work just fine. But, when we're talking about integration of external services, software as a service, any sort of cloud implementation, or off-site implementations even, it really helps to have either a fully implemented single sign-on service or a Zero-Trust model when it comes to securing that information.
There are SOC as a service companies out there that you can hire to provide that SOC capability for your organization.... There are also managed service providers that can provide you an area of greater purview for secure files, manipulation, and storage. So again, lots of ways to do this, these are just a few of the easy to implement solutions."
How do you address data security and third-party vendor risk?
Brooks said: "We need to make sure access restrictions are appropriately in place, and at the same time, we also need to have some sort of assurance that the third party is doing their due diligence for their information security. Because they have access to information… they may actually compromise that information based upon what they have in their systems, not necessarily because of what you have given them access to on your systems."
Hanson added: "I think everyone needs a pretty robust third-party management plan, but even beyond that, a fourth-party and fifth-party, because all of your vendors are using vendors.
For us, we do a very detailed job of just tracking the data… and so regardless of who the vendor is, or what we're using them for, we're 100% just tracking the data."
Web conference: How the New Remote Workforce Changes Data Security
To go more in-depth on these insights, we highly suggest you take time to watch this web conference panel discussion, available on demand.
Thank you, Jadee, Jake, Benjamin, and Arif, for helping serve in SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.