Businesses are willing to spend large amounts of money to combat external threats to commercial data and sensitive trade secrets. However, the same cannot be said for threats posed by insiders against those same organizations.
Balancing external and insider threat detection and prevention is a major struggle for today's enterprises. Outdated technology is one reason for that, said Sudeep Venkatesh, chief product officer at U.K.-based privacy and risk management software company Egress Software Technologies Ltd.
Venkatesh, who completed Graduate studies at the University of South Wales and a Bachelor of Science in electrical engineering from Shivaji University, advocated using technology and insider threat awareness in tandem to limit risk and prevent data loss.
In this Q&A, Venkatesh outlined a hypothetical scenario in which an insider threat is posed and explained the role a people-centric and technology-centric approach plays in limiting employee- and contractor-caused security incidents.
Editor's note: This interview has been edited for length and clarity.
What is the best strategy to limit the risk of insider threats?
Sudeep Venkatesh: When we talk about email security, many organizations just focus on the prevent part -- that is, making sure data gets to the right person. Others focus on the protect part, which is using technology to secure communications. Organizations need to think about the marriage of prevent and protect when sharing sensitive data.
Once it is established that a sender is not misdirecting the communication to the wrong recipient, it is equally as important that the communication is protected by establishing a secure channel to properly deliver that data.
Why do security professionals need to adopt a people-centered approach to address insider threats?
Venkatesh: Look at how the risks to organizations have changed in the last four or five years. In the past, companies were interested in finding threats -- malware attacks and anomalies -- amongst bastions of data. But those threats have since changed. What causes businesses the most harm in terms of data loss today are the more focused and targeted phishing attacks. These spear-phishing attacks and business email compromise attacks are extremely targeted toward top people in the business.
I believe the way to mitigate these is to have a people-centric approach. Security on its own is a combination of policy, education and processes. Technology can also play a really big role in providing a safety net from focused attacks.
While insiders are responsible for a fair amount of breaches, I also believe insiders are our most valuable tool in protecting against these breaches. Many times, these breaches are initiated because of an action taken by an insider, whether that be malicious, unintended or accidental in nature.
How do you see advanced email security technology as an effective method to prevent misdirected communications before they happen?
Venkatesh: Data loss prevention [DLP] technology has been around for 20 years. DLP uses data rules to prevent breaches. For example, a hypothetical employee, Rebecca, can send credit card information in her communications, or she cannot. That is a data rule. DLP technology is very black and white in terms of rules. Since there are a number of rules that DLP technology has to manage, it also takes a lot of manpower facilitation.
Older styles of DLP technology could not tackle the more normative breaches, such as misdirected emails. There needs to be context -- if she's sending an accidental email, technology should compare that present behavior with past behavior to detect an anomaly, then take appropriate steps.
Now, in the past few years, there have been a number of technological advances in terms of the cloud platform that we have available and in terms of the data that we can process. We can build in rules based on Rebecca's normal behavior. These advanced technologies can help us crunch a lot of data to define past behavior so we can catch breaches.
One reply-all email from Rebecca could risk a data breach or exposure or GDPR noncompliance. Should insider threat awareness training supplement email security technology? Could that have stopped the reply-all mistake?
Venkatesh: An effective security program is a combination of processes, policies and security awareness training, as well as technology. At the end of the day, we are all human. We've been trained again and again to check an email for the correct attachments and the right people before we hit send. But, in today's world, people work long hours, people travel extensively and work while fatigued, and mistakes happen. Technology can add that last line of defense, even though you've got the processes and policies against sending data to the wrong recipient and even though Rebecca might have attended several training courses on these exact processes and policies.
What happens when technology catches something that does not look like Rebecca's normal behavior?
Venkatesh: First, the technology must distinguish an accidental security incident from that of a malicious one. In the case of accidental behavior, we have to do the technological equivalent of tapping her essentially on the shoulder. This is to point out to her that she has misaddressed the email or sent the wrong attachment. The technology's response is to make her aware and ask her to rectify the problem.
Technology should operate as close to the user as possible -- directly with Outlook or integrated directly with the mobile device where these emails are created and errors occur.
In the case of malicious emails, there's absolutely no point in tapping the user on the shoulder to tell them that they should not send this data out. They would just find another channel to send it. In that case, to catch those breaches and remediate them before they happen, the technology must quarantine those emails and advise the security administration or the user's manager of the breach.
Malicious and accidental breaches have the same hypothetical affect: They cause a lot of problems to organizations. But, certainly, the way to catch them and remedy them are very different.
What approaches to limiting false results have been successful? Can technology adapt to instances when deviations from normal behavior occur?
Venkatesh: When new technologies, like machine learning, are introduced, it is important to know they can work in a supervised or unsupervised mode. The technology is constantly reinforced by inputs coming in from the users. It can learn and even improve the statistics in terms of false positives.
Should organizations consider email security a top priority? What responsibility do tech companies have in encouraging this emphasis on communication security and DLP?
Venkatesh: Yes, definitely. There have been a number of news stories in the past few years about misdirected emails with sensitive data. If you look at the compliance picture of the world today -- for example, GDPR -- you see a number of new regulations that reflect data security initiatives. The California Consumer Privacy Act is another example. Local regulations in different cities or state governments are being rolled out as well that want to preserve the privacy of their citizens.
One big aspect of these regulations is that organizations that hold sensitive data need to treat it with great care and need to protect it during handling. In terms of upholding the fundamental privacy rights of their customers and citizens, organizations have a duty to safeguard consumer data.