This cybersecurity lore is well on its way to becoming cliché. But like most clichés, it’s true: Data doesn’t leave your organization on its own. People let your data out. They either take it with them, or they leave the door open for someone else to help themselves.
In this environment, where cybercriminals are less inclined to target software vulnerabilities and far more focused on our identities, the perimeter as we once knew it has disappeared. Today, our people are the perimeter—wherever they are, on-premises or in the cloud, and whatever systems, devices and credentials they use to access our data.
Needless to say, if cyberattacks are targeted at our people (or rather, their identities), then our cyber defenses must be targeted, too. But with large and often remote workforces accessing our networks across various endpoints, this is increasingly challenging.
To protect our people—and, in turn, our businesses—we need a deep understanding of who is accessing our data as well as how, when, where and why. It’s only when we have all this information that we can begin to place protections where they are needed most, educate users on the risks they face and fight threat actors on the new frontier of our identities.
Tackling insider threats
As if defending a new, more fluid perimeter wasn’t difficult enough, the increased focus on our identities presents another problem. Our people are already within our traditional defenses. So, to protect against malicious, compromised or careless users who are enabling data loss, we need to defend from the inside out.
Email remains the number one entry point for common and advanced threats, so any effective defense starts in the inbox. Our people must understand the importance of strong credentials, the risk of password reuse and sharing, and the dangers posed by phishing emails, malicious links and bogus attachments.
In our research for the 2024 State of the Phish report, Proofpoint found that security professionals in Europe and the Middle East rated password reuse as the riskiest behavior—and the second-most common behavior among end users.
Email protection tools can assist here, too, by filtering malicious messages before they reach the inbox. That helps to mitigate the compromised employee use case. However, security teams must always assume that threats will get through these lines of defense, even with detection rates above 99% being the norm. And when they do, additional layers of security are needed to stop them in their tracks.
Advanced enterprise data loss prevention (DLP) and insider threat management (ITM) tools provide this additional layer. By analyzing content, behavior and threat telemetry, these tools highlight anomalous or suspicious behavior that can lead to data loss.
Careless users were the most cited cause of data loss in our inaugural 2024 Data Loss Landscape report. To handle this use case you might want to interrupt their careless behavior with a security prompt. For example, suppose an employee attempts to send confidential files in a plain text email. A simple pop-up advising them to reconsider their action could prevent this data from being exposed. A complete log of the incident is also captured, which can add real-world context to security awareness training. Another action that a careless user may perform is to send an email to the wrong recipient. According to our research, 1 in 3 users misdirected one or two emails to the wrong recipient.
In the event of a malicious insider, intelligent DLP and ITM tools will spot and alert security teams to any high-risk behaviors. This could be a user who downloads an unauthorized app to a corporate machine or renames files to hide their intentions and cover their tracks.
As for leavers—who remain one of the primary reasons for insider-driven data loss—security teams can take a more proactive approach. By focusing on these high-risk employees, you can build an evidential picture of intent. With the right tools in place, you can capture activity logs, screenshots, email content and more for human resources and legal investigations.
Spotting account compromise
Insiders that actively exfiltrate or expose data are not the only risks we need to worry about in the age of the people-focused perimeter. We must be just as vigilant for threat actors who find their way inside our organizations.
Often, our people give these adversaries a helping hand, be it through weak passwords or falling victim to phishing and other attacks. However they get in, we need the tools in place to limit the damage that these malicious actors can cause. In most cases, the attackers behind compromised user accounts will try to blend in, moving laterally through our networks to escalate their privileges and earmarking data to steal later.
During this phase, an advanced DLP and ITM solution can detect anything out of the ordinary. For example, are the users:
- Attempting to access new data, systems or network locations?
- Logging in from a new or unusual location?
- Transferring files to or from new or unauthorized drives and devices?
If anything looks suspicious within the content a user is accessing or in the way that a user is accessing data, security teams can step in. They can move fast to remove permissions and prevent any further activity.
Defend data with Proofpoint Information Protection
Context is everything when you are trying to spot suspicious insider activity. That’s where traditional DLP often falls short. Legacy tools were born out of data centers and designed to understand what the average user might do across an organization.
Proofpoint Information Protection goes further. Its dual agent DLP and ITM capabilities protect against data loss by everyday users while focusing protections on high-risk employees. It is the only information protection platform that merges content classification, threat telemetry and user behavior monitoring across channels in a unified, cloud-native interface. That means you get a much clearer, more precise and in-context view of the potential risks coming from inside your business.
Tune into the "Insider Insight” podcast series to find out more about how Proofpoint takes a human-centric approach to protecting data.
Looking for global security insights into departing users, determined attackers and misdirected emails? Download our inaugural 2024 Data Loss Landscape report.