From intellectual property to proprietary design documents and confidential customer information,data has become a competitive differentiator for the new-age business. What this means,however,is that threats to data translate into risks to the business.
The Cost of Data Breach Study in India,conducted by the Ponemon Institute on behalf of Symantec,revealed that the average organisational cost of a data breach in India is R53.4 million,clearly indicating that organisations face serious,quantifiable consequences with the loss of data. The report further broke down the components of the total cost: detection,escalation and redressal formed a significant component,averaging R16.4 million and R20.9 million respectively. Victims lost R14.6 million on average in lost business costs,suggesting that customers abandon the organisation after a breach and rebuilding loyalty or maintaining reputation can be expensive.
While instances of large-scale,sophisticated malicious attacks abound in the media,there is a silent,often overlooked danger: the threat from within.
In fact,reports by the Federal Bureau of Investigation in the United States indicate insiders are a major target in opponent efforts to gain proprietary information and are also a leading source of these leaks. In a country like India where data breach notification is not a mandate,this threat often goes undisclosed. The Cost of Data Breach Study found that criminal insiders contribute to the most expensive types of data breaches,with organisations incurring a cost of R4,224 for every compromised record. Three out of four victims of malicious attacks experienced such breaches and 50% experienced theft of data-bearing devices.
In order to understand and mitigate this threat,we must first attempt to analyse the motivation and profile of the criminal insider. There are two archetypical IP thieves with differing motivations and attitudes:
The entitled,disgruntled thief: This employee was at least partially involved in developing the information he stole,and has become unsatisfied with his position or the company. In some cases this led him to feel he was entitled to take the information with him as he left the job. In other cases,he may have intended to use the information to further his career. About a month before leaving,he would copy the information using his authorised access,using it to either get or perform at his new job. He rationalised his actions by convincing himself that other employees were doing the same,or that the company would be unable to trace the theft back to him.
The Machiavellian leader: The primary motivation of this thief is ambition. He has specific plans to use the information,either selling it to another organisation or using it to develop a new,competing product. Unlike the disgruntled employee,he plans the theft carefully,perhaps even creating a new business and recruiting fellow employees to assist in the theft. He may have begun to steal the information more than a month before leaving the company and is less likely to show outward signs of dissatisfaction or impulsive behaviour.
Whatever the motive for the theft,the employee becomes a goal-oriented tactician,evaluating the necessary knowledge,skills and activities for extracting the protected information without being caught. This operational planning is often dynamic,based on the protective challenges employed by the company.
Further,there are six channels through which IP thieves compromise critical informationemail,removable media,printed materials,remote network access,file transfer or downloads to laptops. With the twin strategic trends of cloud computing and mobility enabling anytime/anywhere access to information,the window of opportunity opens further. The greater the motivation and capacity of the rogue employee,coupled with ineffective or inappropriate applied surveillance or protective measures,the higher the likelihood of success.
To derive the greatest value from information and safeguard this key business asset,organisations need to use people,processes and technology,along with a holistic and information-centric approach.
However,if an employee is determined to take advantage of his access privileges,it becomes imperative for organisations to put in place a strategic framework for security. In fact,the study also discovered that organisations which appoint a chief information security officer (CISO) and centralise the management of data protection faced 46% lower costs due to data breaches than those organisations that didnt.
The following best practices can help organisations better protect their confidential information and prevent data breaches:
Assess risks by identifying and classifying confidential information
Adopt a strategic approach by deploying technologies such as data loss prevention technologies which enable policy compliance and enforcement
Implement two factor authentication
Proactively encrypt laptop computers to minimise consequences of a lost device
Educate employees on information protection policies and procedures,then hold them accountable
Implement an integrated security solution that includes reputation-based security,proactive threat protection,firewall and intrusion prevention in order to keep malware off endpoints
Integrate information protection practices into businesses processes
These initiatives are the building blocks of a holistic security strategy that can help organisations protect their critical information from being compromised and maximise the value they derive from it.
The writer is managing director,sales,India & SAARC,Symantec