Protiviti / SharePoint Blog

SharePoint Blog

February 17
Protecting Corporate Information from Insider Threats

​Enterprises face ever increasing and evolving threats to their internal corporate information every day.   The “insider threat” is just one of those threats, where the risk comes from internal employees exposing, stealing, destroying or over-sharing sensitive corporate data.  Threats from insiders present unique risks and challenges based on the fact that employees require legitimate access to data and systems in order to accomplish day to day work.  Some require privileged administrative access due to the nature of their role.  As well, employees typically have a need to know which information is most sensitive or valuable to the business.  Given that such access and knowledge is required to keep a business and its employees productive, how do we solve this problem in modern businesses today so that sensitive corporate information is protected, even from insiders?

Viewing the Insider Threat as a Unique Issue
If we look at the “threat from external actors” versus the “insider threat” and consider which poses the biggest risk, we’ll often find that both are very real risks and that each need very specific multi-faceted solutions.  I had the opportunity to pose this exact question to a special agent of the FBI cybercrime task force in late 2015.  His feedback was interesting, which can be summarized as:
•    Both threats can be equally as dangerous;
•    Threats from external actors tend to occur more frequently but result in smaller data exposures;
•    Insider threats tend to occur less frequently, but when they do happen they can have a bigger impact because those actors already know which information is most sensitive or valuable, and where to find it.

The insider threat is unique, in that it requires InfoSec teams to protect the business from its own employees, and at the same time not stop or slow down the business.  Part of the challenge lies in the fact it requires that we protect corporate information from people that have a real need to access to it.  Additionally, the threat can exist at any level within the enterprise, from senior executive to entry level employees, from IT staff to information worker. 

From our experience, we do find that the majority of employees want to follow corporate policy and help protect business’ sensitive data.  However, a small number of (or even one) malicious or disgruntled user can cause real damage through the theft, damage or exposure of sensitive corporate data.  We have seen some very real examples of the impact of insider threats with WikiLeaks and Snowden in recent years.  Not all information leaks from insiders are malicious - more often than not, they tend to be inadvertent or accidental.  Accidentally sharing sensitive data with the wrong people, either inside or outside the organization, typically accounts for the majority of information leaks.

Challenges with the Insider Threat
Looking at the overall issue of protecting the enterprise from an insider threat we find that the key challenges are:
•    Employees are already legitimately within the perimeter network require access to corporate systems and information to be productive. 
•    Employees need to know where sensitive information is stored in order to gain access, request access and accomplish day to day work.  As well, we typically want employees to participate in protecting that data. 
•    IT and administrative staff require privileged access to systems, and this typically also gives them access information stored within those systems.
•    Even when employees understand corporate security policies, it can be difficult to understand when they are working with sensitive data.  When varying types of sensitive information exist, with varying handling policies, it can be difficult to understand who they can data with.
•    Although information security has gained the attention of corporate boards in recent years, businesses are reluctant to stop or slow down business.  Solutions are needed and desired, but the need to keep the business and employees productive is often the priority.  As well, if security measures are slowing users down they often find ways around security measures to get their work done.
•    Monitoring, reporting and alerting capabilities are needed, but they can be ineffective.  They are typically administered by IT or InfoSec teams residing in IT.  It’s difficult for them to know which employees and which information to monitor.
o    Do you monitor entry level employees more than vice presidents?  Which information, from which departments is most valuable? 
o    Do you monitor fellow IT or InfoSec team members? 
o    Reports and alerts can often be issued too frequently and cause them to be considered ‘noise’, resulting in critical alerts being missed.  Effective monitoring and alerting requires ongoing active management of the reporting tools.
•    If the business has large amounts of data stored across multiple disparate systems, with uncontrolled or unknown access rights, the challenges are compounded in that, even if information governance polices exist, enforcing them can be an overwhelming challenge. 

Protecting against the Insider Threats with 5 Key Steps
From experience, we have found that the most effective solutions to protect against insider threats have multiple facets, are more about implementing effective information governance (not only building a plan) and involve some form of organizational change.  Our recommended process for addressing risks posed by insiders include:

1.    Audit Your Content and Access
Enterprises begin with an audit of current environment(s) to determine where corporate data exists, which information is sensitive and which access permissions are currently configured.  Data may exist on network files shares, in ECM systems like SharePoint, on desktops, email servers or databases.  Determine up front if all or a subset of these environments will be accounted for.  Defining which information is sensitive requires careful consideration.  Depending on the industry this may be PII (personally identifiable information), financial data, intellectual property, compliance related data or any combination of types.  Often definitions of sensitive data can be vague – for example, the financial industry often looks for Material Non-Public Information (MNPI) which refers to information that is not publically available that a reasonable investor would like consider important in making an investment decision.  Even for people working in the financial industry and with this type of data every day, it can be difficult to determine if a particular piece of data is MNPI or not.

2.    Identify Data Ownership
Identifying data owners across the organization is a key step in getting control of sensitive data, understanding where it resides and how it is shared.  Data owners represent individuals throughout the organization who understand a particular type of data produced from a business perspective as well as the compliance, security and retention obligations required for that data.  Data owners can be identified by department, business unit, service area or even by information type.  They can be executives, directors, or even assistants.  Data owners are responsible for either approving access requests or granting access to a particular type of data, and ensuring that data is shared in such a manner that the organization’s compliance and security obligations are met. 

3.    Conduct an Access Certification and Remediation Program
Once data owners have been identified, a program is typically conducted to have those data owners review the current access permissions for their content.  Through an organized and facilitated process, data owners may either certify that current access permissions are correct, or they may request changes to remediate those permissions.  Develop a clear process for either applying the requested remediation changes, or facilitating data owners making changes themselves before certifying that permissions are correct.  Careful tracking and documentation throughout the process is necessary, especially if the documentation will be used as part of a regulatory compliance audit.  Once an initial permission certification process is complete, ensure that recertification programs are scheduled to occur periodically, between every 3 and 12 months depending on the nature of the business.  Periodic review and recertification of permissions by data owners, along with appropriate documented records of the process, is a critical step in ensuring that the business continually maintains appropriate control of sensitive data. 

4.    Classify Your Data
Defining a classification schema for the organization which is used to identify documents that are sensitive and, more specifically a sensitivity label for each document, can provide significant insight for employees.  Classification labels help to educate employees as to when they are working with a sensitive piece of information, who they may share it with and which type of handling policy is required.  Classification labels in business can include concepts like: confidential, sensitive, restricted, public, internal use only, etc.  Ensure that classification labels are saved as metadata within documents, ensuring that as documents move or are shared throughout the organization the security classification remains with the document.  Since access to sensitive content is being reviewed during an access recertification program, it may provide an ideal opportunity for organizations to label documents with a security classification.

5.    Implement an Access Request Process
Once the previous steps mentioned are complete, and the organization has certified and remediated permissions on content throughout the organization, it’s important to put in place security measures to ensure that we continue to protect against insider threats and that access control issues do not arise again.  Typically access control issues in SharePoint and other ECM environments arise as a result of permissions being granted over time, through various mechanisms in the organization.  Permissions are often granted by individuals who have access to do so but who may not understand the broader implications to the business of over-sharing or without the appropriate approvals. 

Establish a new centralized process for employees to request access to corporate data.  Using a centralized process, regardless of the target system (SharePoint, file shares or otherwise), can ensure that approvals by data owners and managers are always received prior to access being granted, that access requests always follow a consistent process, that the access request and resulting outcome (grant or deny) are logged for historical reporting purposes and that the organization always has a record of why users were granted access to sensitive data.

In Closing
There are several solutions available to the threat that insiders pose to our corporate information.  Ultimately, the most impactful will be one in which the organization gets firm control over where sensitive information lives and who has access to it.  As well, implementing real information governance policies which change the organization to one in which users are aware of sensitive information and how to handle it, along with streamlined standardized processes for gaining access and sharing data appropriately will be your best defense.

To learn more about how we can help with your SharePoint Security, contact our SharePoint Security Specialist at ECM@Protiviti.com.

Quick Launch


© Protiviti 2019. All rights reserved.   |   Privacy Policy