Sergey Ozhegov, CEO of SearchInform
During these two years of the lockdown being on and off, business processes moved outside the offices and back inside, some security weak spots were disregarded, some of them emerged, some time was spent not working, some – wasted on financial recovery from inevitable slowing down. These factors might play a role in several biggest data breaches and security incidents India has recently faced. Air India had gone through a cyberattack on its servers which was announced in February 2021, Domino’s India’s data breach compromised the details of about 180 million orders exposing a million credit cards and other data in May – the information has recently become available outside the dark net and could be simply Googled by anyone curious. MobiKwik app’s user data was allegedly put up for sale violating the privacy of 110 million people, Facebook put at risk the contacts of 6 million Indians, 2.5 million Upstox clients got their data misused due to a third party failure to secure a data-warehouse. Juspay, payment processor, endangered the processing of records belonging to 100 million of users due to a leaked database in 2020.
If last year we talked about going remote, today we see that most organisations leave employees the opportunity to work from home permanently or several days a week. We can see this tendency happens to our clients – if in 2019 the companies had slightly more than 10% of remote employees, and in 2020 they relocated most of the staffers to work remotely, then in 2021 the percentage of remote workers decreased, but not significantly. Therefore, now the information security solutions need to be developed with this factor in developers’ minds.
It is well known that the transition to remote work has exacerbated information security problems. After all, it is much more difficult to control employee activity in a hybrid office (a significant part of employees has the opportunity to work at home for a certain amount of time) than in an enterprise in which information circulates exclusively within the corporate network.
At the same time, under the influence of the pandemic, the number of hybrid enterprises has increased markedly. For example, according to the IDC survey, if before the pandemic in 38% of the enterprises which took part in the survey no one was allowed to work at home, then after the first wave of the coronavirus the share of such enterprises decreased to 8%. At the same time, under the influence of the pandemic, the share of companies in which over 50% of employees had the right to spend more than half of their working hours at home increased from 15% to 35%.
The mindset of information security experts has changed. In the context of remote work, blocking of document transfer (financial documents, information to which the access is limited, personal data, etc.) has become critical. Therefore, the developers have strengthened and expanded the types of blocking in DLP systems. Previously, blocking features were implemented only for specific communication channels and specific applications. However, now insiders have access to hundreds of data transfer and communication channels – zoom, skype, instant messengers, video conferencing systems, etc. Therefore, there is a need for technologies that are not tied to a specific application. We are seeing an increased demand for open-source APIs. Customers want to be able to modify products for their own unique business processes, for rare or self-written software. Companies need seamless interoperability of all IT infrastructure components.
We also noted that if previously the topic of moving to the cloud was practically a ‘taboo’ for information security specialists, now the use of cloud technologies for many companies started to be the new normal. The Internet is becoming more reliable and end users have less and less questions about protecting cloud storage.
What do insiders leak, where to and in which ways?
80% of companies believe that internal information security incidents are more dangerous than external ones, according to SearchInform analysts based on the company’s research. The cause of these incidents can be both deliberate actions and disregard for the elementary rules of ‘cybersecurity hygiene.’ Moreover, unintentional actions of employees are the causes of information security incidents more often than deliberate and malicious ones.
Alexey Drozd, head of the SearchInform information security department, believes that SMB is most exposed to information security risks. The reason is that, as a rule, they do not use specialised software that allows automated control of employee actions and information movement. Therefore, managers can’t assess the likelihood of risks and the effectiveness of possible data protection measures.
To dig deeper, SearchInform analysts summarised information received about incidents in 50 SMB companies in six industries (wholesale and retail, manufacturing, services, IT, construction, thermal power), which was collected while outsourcing information security and data protection to professional services. The data collected using DLP systems showed that during the study (it lasted several months), attempts to leak data were recorded in each of 50 enterprises.
It also turned out that during the attempts to leak corporate data, employees most often (in 56% of cases) used external media – flash drives, hard drives, mobile phones and other equipment. Also, email (21% of cases) and cloud (19%) follow by a wide margin.
“To prevent employees from leaking data while uploading it to external media, the employer may prohibit copying data of a certain format. Or any documents on particular PCs. However, at the same time, there is a risk of slowing down some business processes, because then employees will not be able to perform part of their job duties. Therefore, such a measure must be applied pointwise. It is more efficient to use a data encryption tool – the document will be copied to an external storage, but the user will be able to open it only on authorised PCs, or if there are specific permissions (a password, for example). This will allow employees to share data, but will prevent data transfer outside the company,” as Aleksey Drozd said.
Insider’s psychology
This issue was raised by Alexey Filatov, scientific supervisor of the SearchInform profiling department, in his speech.
He highlighted that, according to the Cost of Data Breach Report, under the influence of the self-isolation mode due to remote work, the number of leaks increased fivefold!
Alexey Filatov, referring to the research of Owner Consulting, noted that 10% of people never stole, 10% of people always stole, and 80% of people would steal if they are under pressure or are offered remuneration. In this case, an insider’s motives can be divided into five large groups – negligence, revenge or resentment, profit, fraud, ideological considerations.
There are studies that claim that up to 40% of insiders and employees who commit serious violations of information security rules do not manifest themselves within the network environment before an incident. At the same time, more than 80% of insiders have significant personal and behavioral peculiarities, which can be identified and assessed so that the risk of the violation of information security rules by a specific employee can be calculated. However, as Alexey Filatov noted, tests and questionnaires won’t help with identifying personality traits that are important for specialists responsible for risk mitigation, since when filling out these questionnaires, employees give predominantly socially desirable answers.
In general, the portrait of an insider is as follows – this is a person who is more of a strong independent individual as opposed to a team player. In addition, this person is in pursuit of money, material values, and power in communication. Also, there can be high impulsivity and emotionality, mood swings, and gambling. High selfishness, conflict and aggressiveness, sabotage and lack of obligation in the performance of professional duties, high unfulfilled ambitions, low loyalty to the previous employer, the pursuit of personal privilege, average or low professional productivity based on KPI.
Alexey Filatov points out that digital behaviour of an insider is difficult to pattern. At the same time, an insider is characterised by:
- The desire not to use a corporate computer for personal purposes;
- Insignificant amount of entertainment traffic;
- Complete absence or minimal amount of positive linguistics in correspondence;
- A small number of open connections and contacts;
- Interest in politics and weapons;
- Episodic rather than constant network activity.
However, as Alexey Filatov further noted, there is a set of tools that allows, based on the analysis of the digital footprint of an employee, to compose his or her psychological profile for calculating the risks in the field of information security, as well as for identifying, delimiting and reducing potential risk groups without any leads and operational information. At the same time, the activity of an employee is assessed exclusively within a corporate computer, without invading privacy and violating any legal norms.
“Detailed knowledge and understanding of personnel allows companies not only to be proactive in preventing information leaks, but also to increase the efficiency of management and the work of the entire team,” said Alexey Filatov.
