C-level briefing: Clearswift’s Guy Bunker explains how you can defend against inadvertent and intentional data breaches.
"People have not specifically considered the possibility of people being bribed," says Clearswift’s SVP of Products, Dr. Guy Bunker.
He is talking about the insider threat, which is now reported by IT professionals as the primary driver of data loss incidents.
Bunker claims that the threat of malicious insiders leaking sensitive information from within an organisation is now critical.
"Ten years ago, I used to ask the audience how many people would give me their credentials for a million pounds – nobody ever put their hands up.
"But if you were in a call centre that was located offshore, the price for that information is substantially less. If you were being paid £10,000 a year and somebody offered you £10,000 that is an enormous amount of money.
"But even here, everybody has their price and they’ll quite happily admit to what that price is."
Bunker cites a July 2015 survey by Clearswift which found that 35 percent of employees would give away company information for money. 25 percent of employees would sell company data for less than $8000 and 35 percent of employees were open to bribes at $77,500.
"The scary thing was that by the time it got to £10,000, most of the people who had a propensity to give it away would give it away."
Although Bunker says that "most data loss incidents are created by insiders who are not malicious but are not concentrating", a good approach will address both intentional and unintentional actors.
However, technology should be the final tool in the security arsenal, says Bunker.
"Security in general and data loss is about reducing risk. The biggest risk without a shadow of a doubt is people.
"The first step is training and awareness, such as in recognising phishing emails, which are becoming more sophisticated. A lot of people release information about what they do in social media.
"After that you have policy. When it comes round to information security, people think about IT. But a lot of that comes from HR, such as acceptable use on a computer. The HR department now has quite a big role to play.
"The final piece is that once you’ve figured out what you’re doing with the people, you can look at putting in the technology. The technology is there to back up policy and people, to stop silly mistakes and stop malicious actors getting stuff out."
If the other two steps are not addressed first, technology will be at best in effective and at worst actively detrimental.
"You can just throw technology at the problem, but then people will work around it. People will find they cannot send things through Gmail and copy it to a USB stick instead. You can spend a lot of money and end up with more problems than you had in the first place."
Bunker argues that the solution is adaptive threat redaction, which automatically seeks out and blocks sensitive information at whichever point it is exiting the corporate network.
"Clearswift’s solution looks for critical information if you try to send it out through email and anything you’re uploading or downloading over the web. It will also look for any critical information situated on your end-point, and if you are trying to copy it onto a USB, CD or DVD (if you happen to be Edward Snowden) and prevent you from doing so."
"The same solution that will prevent you from doing something stupid will prevent the malicious actor."
Clearswift’s product uses context to seek out sensitive pieces of information; for example, a 16-digit number is not necessarily a card number. But certain clues such as an expiry date or a name can be used to identify it as such.
Ultimately, there is no way back from the collaborative enterprise, nor any convincing reason why we should want one if security is handled correctly. What we need is a way to make sure that we get the best of both worlds.