Manage these risk indicators to protect students, faculty, and staff against insider DLP risks
District IT teams need to know how to spot insider DLP risk indicators to ensure that their data loss prevention (DLP) strategies are working—whether the threat is coming from inside or outside the school.
Most insider DLP incidents are accidental, not malicious. But, even accidental exposure threatens student, staff, and faculty data privacy.
What are Insider DLP Risks?
When someone in your school district has authorized access to sensitive data, they turn into an insider DLP risk when they use that data in an unauthorized and/or inappropriate way. Very often, the authorized person accidentally exposes sensitive information by doing something like sharing a public link to sensitive data.
However, malicious incidents do happen in K-12 school districts.
One clear example is the incident that took place in the Chicago Public Schools (CPS). A contract worker conducting background checks on employees had access to personal information about thousands of CPS employees, vendors, and contractors. CPS discovered that the contract worker had downloaded data and may have deleted portions of some files. The worker was charged with multiple counts of felony identity theft.
Insider DLP risks result in data breaches that are just as serious as a cyber criminal gaining unauthorized access to district data. Both can cause problems for students, faculty, and staff that can haunt those affected for years.
6 Insider DLP Risk Indicators
Many resources on the topic of insider threats focus on behavioral issues such as bad attitudes or complaints about financial problems. Here, we’re going to focus on account behaviors that you can spot based on how a person is using technology and data systems.
1. Downloading Sensitive Files
Most school information now lives in cloud apps like Google Drive, SharePoint, and Dropbox, among others. If one of your users starts to download files from cloud storage, especially a large number of files, you need to investigate.
There could be innocent explanations for that behavior. The user may not realize that they can work on files directly in the cloud. Further, they may not realize that downloading copies of files leaves the school vulnerable to data loss.
It’s worth investigating to find out if there is malicious intent or simply to help educate the user on how to use cloud apps more effectively, and why it’s important to protect data.
2. Sharing Sensitive Files Outside of the District
Sharing files outside of the district can happen in several ways if security and access settings are not configured properly.
They can share sensitive files directly with people who aren’t authorized to access them. They can also share files via a public link. This is perhaps the most concerning insider DLP risk indicator because it results in giving anyone on the internet the ability to find that file in public search results.
Cloud DLP policies should be configured to break either type of sharing of files that contain sensitive information. It’s important for student data privacy and wellbeing, but it’s also required to comply with federal and local data loss prevention regulations.
3. Requesting Access to Files Containing Sensitive Information
Another insider DLP risk indicator to check on is when a user requests access to sensitive files when they don’t have an obvious reason to need them.
Occasional requests for access probably isn’t a problem. But, if there is a sudden increase in requests for access to multiple files and/or shared drives, it warrants a closer look. You may find an internal bad actor or an account takeover.
4. Abnormal Account Login and/or Activity Behavior
A good data loss prevention software solution will monitor for abnormal login activities.
A good example is if an account login or attempted login comes from geographically impossible locations and time intervals. For example, if a user is logged in from the United States and then an hour later they login from China, that is an indication of impossible travel. Most data loss prevention tools can identify that activity as suspicious.
Another thing you need to monitor is changes in the level of activity for a user. If a “low talker” becomes a “top talker,” it’s a good idea to check that activity. When an account that has historically low activity suddenly starts taking up a lot of bandwidth, you need to be sure that there hasn’t been an account takeover.
5. Lateral Phishing Email Behavior
Lateral phishing refers to when a bad actor sends emails from within your domain that contain phishing links and/or attachments. Since internal domain emails are typically automatically “trusted” by traditional email and phishing filters, this kind of attack can wreak havoc on your domain.
Further, to the recipient, it looks like the email is from a trusted source and they are more likely to open and click on links or download attachments. This is a well-known and relatively simple way for bad actors to gain further access to your protected data.
This is definitely one of the insider DLP risk indicators that means you have at least one account takeover on your hands, and the criminal is trying to gain access to additional accounts.
6. Risky Third-Party App Connections
3rd party app downloads in education increased 30% from Q1 2019 to Q1 2020.
With the increased use of remote learning, it’s understandable that schools are using many more 3rd party apps than ever before. But this significantly increases your district’s data breaches and student data privacy risks
In many cases, students, faculty, and staff are using school credentials to connect to apps through OAuth that have nothing to do with work or school. In other cases, they are connecting with free educational apps that require broad account access, but that haven’t been properly developed with necessary infrastructure or API security protections.
Some apps are malicious. Others are simply not well developed or secured. When these apps are granted broad permissions to your Google and/or Microsoft domain, cybercriminals can use them to gain access to apps and/or files that the app has been granted permission to use.
Insider DLP risks are not new. Detecting them can be more difficult for schools using cloud apps like Google Workspace and/or Microsoft 365 without the proper cloud security tools and configurations. Most can benefit from shifting from a perimeter-focused security mindset to a zero trust cybersecurity one.
These behavioral indicators can help you focus on those account behaviors that are most likely to signify that you have a problem in your system. Most often, insider DLP risk behaviors are the result of authorized users simply sharing files improperly. Whether they are accidental or malicious, your team needs to keep sensitive information secure to protect students, staff, and district financial information.