It’s evident that there is a new battleground for loss prevention, and it’s lurking in the recesses of every company storing digital materials. The product exists as bits and bytes, and it won’t be carried out of stores or looted from warehouses. Instead, the new battle over loss prevention involves personal and company data stored to the tune of 2.5 quintillion bytes every day.
Indeed, data theft is a billion-dollar, bottom-line issue that impacts virtually every company in every sector.
Unfortunately, after years of high profile, highly consequential data breaches, consumers are no longer letting companies operate with impunity in this regard. Now, shoppers are striking back, and they are using their wallets as a bludgeon. For instance, a recent study by Business Wire found that 81% of consumers would stop engaging with a brand online after a data breach, and almost as many would be willing to take their business elsewhere.
This new reality compounds the already increasing costs of a data breach, estimated to approach $4 billion by IBM’s annual Cost of a Data Breach Report. At the same time, the less quantifiable effects of brand erosion can have long-lasting consequences that may never be erased. As leaders at Yahoo, Equifax, and Facebook can testify, once a brand is associated with lax data security, that reputation can be hard to shake.
Consequently, data security has rightly become a bottom-line issue for every business.
While today’s data threat landscape is extensive, one of the most potent threats often resides in the office. Insider threats, both malicious and accidental, account for nearly half of all data breaches, which means that identifying and mitigating these threats is a tangible top priority in today’s digital environment.
Understanding Insider Threats
Insider threats come in many forms. Ill-equipped employees interacting with company data, empowered authority figures, and capable third-party contractors collectively comprise a threat landscape that puts customer data at risk.
Accidental Insider Threats
According to a 2019 study, 83% of security professionals “believe that employees have accidentally exposed customer or business-sensitive data at their organization.” Blurring lines between personal and professional technology and poor data management standards make accidental data sharing a veritable inevitability.
For instance, an Australian government employee accidentally emailed a spreadsheet containing peoples’ personal information, inadvertently causing a data breach that will impact hundreds of people.
In other words, it’s not just hardened criminals that steal company data. Many employees accidentally expose information in their everyday workflows.
In the EU, where data privacy regulations are costing companies ever-higher fines and fees, it’s estimated that 60% of data breaches reported to the Information Commissioner’s Office were the result of human error. Similarly, Shred-It’s 2019 Data Protection Report found that human error is the primary cause of data breaches in both the legal and financial sectors.
Negligence and accidents account for a significant number of data breaches, but they only account for a fraction of the data breaches impacting companies today.
Malicious Insider Threats
Although their primary motivation tends to be monetary, employees steal company data for many reasons. Some are taking company data to elicit bribes, while others want to prove a point. Regardless of the motivation, malicious insider threats pose a serious risk to data loss prevention and reputational management.
What’s more, their exploits tend to make headlines, inflicting further damage on companies unlucky enough to employ these bad actors. In October alone, insider threats of all types made headlines because of their successful data exfiltration attempts.
● A Yahoo engineer admitted to hacking 6,000 accounts of friends and colleagues to attain personally embarrassing photos and information.
● An employee for Competitive Pest Services stole a treasure trove of company data that he brought to a competitor to leverage higher compensation.
● An American Express employee stole customer data, intending to use that information to perpetrate fraud.
Each of these episodes is remarkable because they are frighteningly normative, regularly occurring at companies of all sizes, and preventing these insider threats is a critical component of loss prevention in 2020.
Loss Prevention for Insider Threats
Today, digital tools exist that protect companies against data loss caused by all types of insider threats. In this regard, employee monitoring software has become the go-to technology for neutralizing insider threats because it gives IT administrators the insights and capabilities to identify risks and to prevent information from leaving the company.
When choosing this software, some priorities matter more than others.
1. Configurability. A one-size-fits-all approach to data security fails to account for the nuanced needs of every company. Therefore, software configurability needs to be a top priority when protecting company information.
Rather than applying a broad-brush approach to loss prevention, identify your purpose for monitoring and choose software that allows you to execute that priority with precision.
2. Privacy. In their quest to protect against insider threats, too many companies compromise employee privacy, proverbially robbing Peter to pay Paul. However, data protection and employee privacy aren’t antithetical to one another.
Instead, companies can harness software capabilities to protect employee privacy even as they guard against insider threats. Specifically, features like auto-redaction of personal information, limitations on time and place of monitoring, or automatization can ensure that employee monitoring supports loss prevention initiatives without compromising employee privacy and, as a result, workplace culture.
3. Automation. Data loss prevention is a top priority at virtually every company, and the IT admins charged with this task are burning out. It’s estimated that as many as 64 percent of cybersecurity professionals have considered quitting their jobs and nearly the same amount are contemplating leaving the profession altogether.
Data loss prevention efforts can’t place further strain on your cybersecurity team. Instead, companies need to prioritize automation whenever possible. Modern employee monitoring software is capable of identifying risks, restricting data movement, and even enforcing data management standards. These functions significantly reduce the strain on IT professionals, ultimately making loss prevention a more tangible priority at any company.
An Ongoing Strategy
In 2020 and beyond, data loss prevention will be a critical component of every company’s loss prevention strategy. While this complex threat landscape can feel overwhelming, any company can combat digital loss prevention by focusing on the most prescient risks, which inevitably means accounting for insider threats.
The consequences couldn’t be any higher. Companies that fail to appreciate the shifting nature of loss prevention in the digital age will find themselves losing money while experiencing a diminished customer base.
In contrast, for those that get this right, it can be a differentiating component that keeps your company competitive for years to come.
Isaac Kohen is vice president of R&D of Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions. Follow him on Twitter: @teramindco.