Need to know, or really, really need to know?

Card house

From the latest set of statistics released as part of the Clearswift Insider Threat Index, the one that really caught my eye, was the fact that 35% of employees say they have access to information above their pay grade.

There have been some well publicised, (in)famous incidents, where ‘over’ access to information by a legitimate employee or contractor has resulted in severe reputational damage, with Edward Snowden and Bradley Manning being two of the most renowned. However, insiders gathering information and then ‘selling it on’ is becoming more prevalent, such as the recent story regarding a naval engineer attempting to sell plans for a nuclear aircraft carrier having made the news, and a corporate equivalent story where an online pharmacy was recently fined £130,000 for selling on customer details; in this case critical information ended up in the hands of unauthorised users.

The ‘Insider Threat’ is growing

There is no doubt that the Insider Threat is real. And growing. And the more people who have access to data means the greater the opportunity for data loss or theft to occur. There is now a need to restrict information not just on a ‘need to know’ but on a ‘really, really need to know’ basis to reduce and contain the risk. This marks the pendulum swinging back once more. When Open Systems first became available it was all about the ease of ability to share information with everyone in the enterprise, which has ultimately led to Snowden/Manning and other scenarios. The challenge now is for organizations to tighten up access – but without disrupting the business.

For many organizations there has been, or still is, a program in place to tighten up access control on file servers and collaboration applications such as SharePoint. This is ongoing and with new projects starting all the time a constant rigor needs to be applied. The situation has been exacerbated with ‘the Cloud’, where collaboration is much more flexible – but with the addition of having the ability to collaborate with third parties, control is more difficult. I recently hosted a session at the ISSA Conference in Chicago on how to ensure you have a secure collaboration environment. However, when focussing internally there is still a vast hole in the open access to critical information – email.

Bringing DLP inside the organization

For almost all organizations, email to the outside world is now subject to multiple controls, the most important being Data Loss Prevention (DLP); ensuring that the good stuff doesn’t fall into the wrong hands. Clearswift introduced Adaptive Redaction to our solutions to solve the biggest DLP deployment challenge – the false positive, where, based on policy, critical information can be removed from email or documents but leave the authorized content to continue. This works well for external email, but what about internal email? Internal email traditionally hasn’t had DLP controls applied to it – and so enables employees to get around controls placed on file servers and internal collaboration applications. In effect, anyone can send anything to anyone inside the organization – and this creates risk. Unnecessary risk.

To master this, Clearswift launched the SECURE Exchange Gateway (SXG), which enables organizations to put internal DLP policies in place. Protecting information sent in email from unauthorized sharing. Segregated email systems are frequently found today in the defence and financial sectors, but are cost prohibitive for most. Furthermore, traditional data loss prevention (DLP) solutions which are deployed in segregated email environments habitually end up disrupting internal collaboration with their ‘stop and block’ behaviour. The SXG benefits from the latest Adaptive DLP functionality which removes only the information that breaks policy, yet allows the rest of the communication to continue through. A sophisticated, distributed operational model makes it easy and cost efficient to administer any policy breach events that may arise. Individual users can self-certify to release original content, or it can be routed for managerial release. Release being as easy as clicking a link in a notification email. 


It’s time for action

The insider threat in many cases can be mitigated, simply reducing the risk through reducing access to critical information to only those who really, really need it - with the introduction of simple controls over access. However when it comes to email, there is a need to introduce new technology – internal data loss prevention. By using Adaptive Redaction or internal DLP it is possible to ensure that critical information remains safe from unauthorized eyes, while maintaining continuous collaboration which is so essential in today’s modern business.

By Dr. Guy Bunker @guybunker

Further information