IT security leaders and legal professionals might not always have much in common in terms of their daily responsibilities, yet they are increasingly united in one essential aspect: defending their organization’s sensitive data and IP against a spectrum of threats, both from external parties and increasingly, from trusted insiders.
Insider threat describes a broad range of risks. Whether it’s a departing employee who copies sensitive IP to a USB on their way to a new job or a contractor who accidentally leaves an S3 bucket open, there are vast and multi-facted risks companies face. It’s an elusive problem to solve, and although 99% of organizations have some form of data protection in place, 78% have still had sensitive data leaked, according to our 2024 Data Exposure Report.
Regardless of whether data loss has resulted from general carelessness or true malicious intent, the result almost always includes financial losses and reputational harm that can take years to recover from. However, these ramifications represent only the tip of the data risk iceberg. When it comes to these particular threats, what often gets overlooked are the subsequent legal risks.
From data privacy violations to reporting obligations to shareholder lawsuits and other distracting litigation, IT security leaders are responsible for deploying the right technology controls to minimize these risks, and they also need to collaborate with their legal counterparts to keep a data loss event from becoming a full-blown legal crisis.
Bridging the IT-legal gap
While it’s nothing new for insiders to expose sensitive data – what has changed is the way we work. On the one hand, the rise of cloud computing and the adoption of mobile technology have made it easy to log in and work from anywhere. This convenience has made data much harder to manage – it lives in more places, gets automatically replicated across geographies and jurisdictions, and users can access it on a broader range of devices.
As more people are productive from anywhere, the harder our data becomes to secure; and the legal ramifications for these deficiencies are often steep. Consider the legal repercussions faced by Tesla after two former employees exfiltrated over 100GB of employee records last year, including bank records and other sensitive personal information. Beyond the significant damage to its reputation, the company also faces potential fines of $3.3 billion because of alleged violations of Europe's General Data Protection Regulation (GDPR).
Enterprise organizations face a complex web of legal responsibilities, ranging from compliance with data protection and privacy laws to adhering to industry-specific regulations – all of which require the legal, IT, and security teams to coordinate their efforts.
This collaboration becomes crucial in crafting policies that not only deter and detect insider threats, but also align with existing legal standards, reducing the potential for violations that could lead to severe penalties. It’s particularly true in industries governed by strict data protection laws, such as healthcare and finance, where non-compliance can result in hefty fines and loss of customer confidence.
In the event of a data breach, teams must collaborate quickly to manage the fallout – navigating through the intricacies of breach notification laws, regulatory compliance and reporting, and prepare for potential legal proceedings.
Three strategies for data risk mitigation
We need a combination of technology, tools, and processes to ensure that all of these parties are equipped with the information they need so they can respond in an accelerated fashion. Consider the following three strategies for mitigating the risk of data loss from insider threats:
- Focus on the timing: The difference between a minor incident and a material event often comes down to how quickly the team identifies the breach. If an employee takes data and it’s discovered within hours or days, teams will contain the damage and have a minor issue. But if the breach gets discovered the breach a year later, as happened to the Waymo breach when Anthony Levandowski stole over 14,000 critical documents, a company will have a major legal and intellectual property event.
- Insist on full visibility: When it comes to mitigating the risk of data exposure from inside threats, it’s essential to have full visibility into file activity across endpoint, cloud, and communication systems to accurately assess data exposure. Of course, comprehensive visibility on its own isn’t a silver bullet: teams also need to understand the context of user behavior. For instance, a sudden increase in file downloads by a user might initially seem suspicious. However, if the context reveals that the user works on a large project with an imminent deadline, such behavior could be innocuous. On the other hand, if the same activity occurs at an odd hour without any apparent business need, it could indicate malicious intent.
- Develop ongoing training programs for the staff: In many cases, employees don’t even realize they might have violated data policies. That’s why it’s not enough to communicate data security policies when an employee gets onboarded. Rather, make education ongoing and have it take place at the point when they are engaging in risky behavior, such as a notification when they download or upload data to an external drive or unsanctioned cloud service.
Although organizations can minimize insider threats with the right tools, companies will still have a hard time completely eradicating this kind of data loss because of today’s distributed enterprises and the unpredictable nature of the human element. However, by closing the gap that exists between IT, security, and legal and empowering these teams with the right tools, companies can have data protection strategy pays dividends.
Joe Payne, president and CEO, Code42