Mitigating insider DLP risk factors is critical as districts use more cloud applications
Data loss prevention (DLP) should be at the top of every district IT team’s summer projects list. Data loss comes in many forms. Some are the result of an outsider gaining access. But oftentimes it’s because of the actions of authorized users in your own IT environment. This is why it’s critical to focus on and know how to mitigate insider DLP risk factors.
Insider risks are increasing due to the rise in the use of cloud apps in schools, such as Google Workspace and Microsoft 365. To prevent data loss from “insider” users, you need to put more emphasis on cloud DLP and zero-trust security, rather than focusing solely on network security and firewalls.
What are Insider DLP Risks?
Insider DLP risks come from someone in your district who is authorized to access sensitive data. Either intentionally or by accident, that person exposes sensitive data by using it in an unauthorized or inappropriate way.
For example, an administrator may click on a link in a phishing email and let a cybercriminal into your stored data. On the other hand, there are examples of insiders stealing sensitive data to profit from selling it.
Research on the subject of insider threats in businesses, in general, indicates that 34% of data breaches are caused by insiders, and 21% of those breaches were the result of an error on the part of the insider. So, insider DLP risks aren’t causing the majority of data breaches, but they still represent a significant risk to your district’s data, student safety and data privacy, and your ability to comply with state and/or federal data loss prevention regulations.
4 Ways to Mitigate Insider DLP Risks
Many security systems are focused on preventing outsiders from accessing your data. But, given the incidence of insiders causing a data breach, you need to ensure that your security is focused on preventing those incidents, also. Here are four tips you can use to help mitigate insider DLP risks.
1. Change Your Security Mindset
Take a hard look at your security infrastructure and your data loss prevention methods. If you have excellent tools for preventing external data breaches, but not much emphasis on preventing insider threats, you need to change your mindset.
Make insider threats as important as those coming from outside to lead you toward a more balanced approach to data security.
2. Limit Access to Your Data
Identify where your sensitive data resides and categorize it based on the access that should be allowed. Use an access approach that strictly limits access to only those individuals who need the data to do their job. For example, not everyone needs access to students’ social security numbers (SSN). Further, often it’s different people who need access to faculty and staff SSNs versus student SSNs.
Make sure that you’re not giving insiders access to sensitive data without carefully analyzing their needs. Data security experts all recommend starting with the most stringent access policies, then open up access gradually as users claim they need it. At that point, you’ll want to make sure whether or not that access is truly warranted and/or if it’s time-bound, meaning it should only be granted for a short time and then restricted again.
3. Implement Zero Trust Cybersecurity
When you use zero trust cybersecurity, you automatically get a number of benefits. Zero trust cybersecurity is intended to secure your data rather than just the perimeter of your network. It means that your systems don’t trust anyone by default whether they are coming from inside or outside your network.
Beyond that, your security systems monitor the activities of anyone accessing your apps, files, etc. regardless of the type of device a person is using or the network they’re on. This is especially important for remote learning, where insiders are accessing your systems on a variety of devices.
4. Monitor Behavior
User account behavior can be difficult to detect in cloud applications without cloud data loss prevention tools.
It is important, however, because aberrant behavior will help you identify insider DLP risks. Monitoring behavior can tip you off to a potential account takeover, a “rogue insider”, or simply a well-meaning user who isn’t handling sensitive data properly.
Traditionally, schools have done a great job of securing devices, hardware, and network endpoints. But they’re not as well protected when it comes to cloud app security. For example, Google Drive data loss prevention needs to be configured and managed differently than traditional, on-prem software.
Common Insider DLP Risk Indicators
Once you have the infrastructure in place to restrict access to sensitive data and to monitor user behavior, here are the top insider DLP risk indicators you need to look for to mitigate insider risks.
- Downloading files: There may be innocent reasons why an insider would download sensitive files, but it could also be an indicator of a DLP threat or an account takeover.
- Sharing files outside the district: For example, an insider might accidentally share a file using a public link. Or, they could have a malicious reason for sending sensitive data outside of your district.
- Requesting access to sensitive information: You need to check on requests from a user for access to files that they aren’t already allowed to access. If you’ve done your categorization and access rules well, this could be a signal of an account takeover or a malicious actor.
- Abnormal activities: Look for logins from unapproved locations, impossible location traveling (such as a login from the US and then a few hours later a login attempt from China), or significant changes in the level of activity in accounts.
- Lateral phishing emails: Lateral phishing happens when a cybercriminal takes over an account and sends phishing emails from that account. They do this because the phishing emails won’t get picked up by traditional phishing protection filters because it’s coming from a trusted domain—yours. Look for suspicious emails such as a student sending emails to every teacher in the school.
- Risky 3rd party apps: Schools are using more 3rd party apps than ever before. Look for apps that aren’t on your approved list and/or have risky access permissions.
Cloud monitoring is one of the most important things you can do to mitigate insider DLP risks in your school district. Cloud apps like Google Workspace and Microsoft 365 create most of the cybersecurity, safety, and data privacy incidents in schools today. But it’s something that is often overlooked by districts across the country. Now is the time to ensure that you have cloud protections in place to safeguard your district.