In our last post, we talked about what insider threats are and why it is so important to consider them as you construct your data security policies. The heart of an effective strategy to minimize risks from insider threats is the concept of access controls – limiting users’ privileges to the minimum necessary – but access controls alone are not enough.
As you consider these five recommended steps, it is important to remember that an insider is one who has access, whether physical or electronic, to a company’s data. Insiders are most commonly thought of as employees but also include any third parties that can access a company’s systems, such as business partners or maintenance contractors.
- The first step is to map your data. Understand what data you have and where it is. Do you need all of the data that you have? The rest of the steps won’t be fully effective if you fail to map your data and therefore fail to include, for example, an old server, an orphaned database or a back-up drive before undertaking the following steps.
- Categorize your data so that appropriate permissions can apply to each type of data. For example, some data is “strictly confidential,” and the highest security will apply. Still other data is confidential or simply sensitive. What category of data is at issue will determine whether to encrypt the data, who has access to it and who needs permission to access the data.
- Now that you know what you have and how confidential it is, rigorous access controls are the next step as well as policies and procedures to enforce the controls. Use the Policy of Least Privilege, which refers to the concept that users should receive the minimum privileges and entitlements necessary to do their jobs. Implement a similar concept in your technological systems – only let user-facing applications access the back-end systems and databases that are necessary. Revoke access as employees change responsibilities or leave the organization.
Once you have set up access controls, enforce them via technology. Limit the ability to exfiltrate data from the system by limiting permissions to install software on their computers or use USB drives. In the Morgan Stanley case we discussed previously, errors in the technology implementing the policies created the vulnerability.
Where appropriate, consider separating duties so that, for example, one employee might request access to personally identifiable information but a separate employee would have to approve the request.
- Train everyone on cybersecurity risks and your company’s policies to address them. Make training mandatory and repeat it. Train often enough that employees understand the part they play in keeping the company secure. Run tests to provide feedback to employees who still haven’t internalized the training.
- Implement a sanctions policy that is universally applied and has a designated individual to enforce it. Policies won’t work if only lower-level employees receive punishments for not following the policies and procedures. Regulators are also on the lookout for policies and procedures that don’t apply in the C-suite.
Implementing a plan with these concepts in mind will help mitigate your risk from insiders. If you have questions about implementing these concepts or other cybersecurity recommendations, please contact the attorneys in our Privacy & Data Security group.