Q&A: Varonis Field CTO Brian Vecci

Too Much Company Data ‘Is Open to Everybody’

By Patrick W. Dunne

Some of the most significant breaches the world has seen in the past few years — Tesla, Target, Capital One — all came from within the company.

About a third of all data breaches involve insiders according to the 2019 Verizon Data Breach Investigations Report.

Brian Vecci, field chief technology officer at Varonis Systems Inc. in New York, tells Digital Privacy News that companies are vulnerable to such attacks in many ways.

What’s the main motivation behind such attacks?

It can be anything — usually greed, personal gain, fear or stress.

As an insider, you have access to proprietary or confidential information. Often, it’s information they don’t even need to access.

We’re seeing a significant uptick in insider activity these days, being driven by people who are afraid to lose their jobs.

They’re looking for job security or information that might help them in the next job.

Sometimes, they’re just poking around trying to look at HR information to figure out if they’re getting laid off.

What can a company do once an insider has stolen and sold private data? 

It depends on what the information is. In some cases, they might have a responsibility to notify their customers or the public at large of a breach.

They may be able to sue or go to law enforcement.

The problem with data breaches, especially large databases or data breaches of personal information, is that it’s tough to put the toothpaste back in the tube.

Companies certainly have a responsibility to try to respond and mitigate the damage done by something like that.

There’s sometimes not much they can do.

If someone gets my financial information, I’ll need credit monitoring or something similar. But the damage has been done at that point.

One of the main reasons why companies are so concerned about insider threats is that they’re incredibly difficult to defend. It’s also incredibly difficult to prevent, as insiders have access to very valuable information.

This happens a lot more than you think.

According to IBM, companies take an average of 206 days to identify a breach. Why so long?

There are three main reasons.

The first is that insiders have access to far more data than they need. As your role grows and changes, you need access to different files to do your job. This happens all the time.

What doesn’t happen is removing access for files you no longer need.

Think of it this way: Imagine you joined a company and received a building key. Then, you move to another building but keep the old key.

Now, replace “key” with “data” — and multiply it by a few million times. That’s what’s happening.

On average, about 20% of the data inside a company is open to every single employee — and it’s not by design. It’s just because things get misconfigured.

The second reason is that companies don’t monitor data in any useful way. Far too much of it is open to everybody — and far too little of it is monitored.

Insiders have too much access, and nobody watches what they’re doing.

Finally, it takes about six months or more for companies to recognize a breach because indications don’t show up until it’s too late.

If nobody is watching the data, how will you know that someone’s stealing it? You won’t find out until it ends up on the dark web or in the hands of a competitor.

Put these reasons together, and you have a perfect storm of vulnerability.

What are the signs that someone might want to misuse private data? 

One of the biggest signs is that they start accessing data that they’ve never looked at before or data they haven’t looked at a long time.

They could also be accessing it from an unusual place, device, or time of day.

Companies that monitor such information can recognize suspicious signs.

For example, most companies record what happens in their VPN, which allows employees remote access into the company’s network.

A company might notice that someone is coming from a place they’ve never seen before. That’s one warning sign.

Then, the company can look at what device the person is using, what data they’re accessing — and if this behavior is different from their peers.

Of course, companies can analyze user behavior to identify unusual activity better.

What should companies do to secure data?

If you don’t want your data accessed inappropriately by insiders, you should limit user access to only what they need.

But smart companies do something to prevent insider threats.

First, make sure insiders can’t access data they don’t need. Second, they start watching data … . They know which data is sensitive and could potentially cause issues if exposed.

Is limiting access the most effective way to stop insider breaches?

That’s the best thing a company can do. Organizations shouldn’t trust insiders or outsiders at any time.

Too many companies try the castle-and-moat strategy, where they spend their resources protecting themselves from outsiders, while ignoring potential insider threats.  

The best way to prevent an insider from stealing data is to not give them access in the first place.

Sophisticated insiders can, of course, get access to things that they don’t initially have access to. There are ways to get around it.

But the first thing a company should do is just make sure people can’t access stuff they don’t need. If companies just do that, they’ll dramatically reduce their risk when it comes to insider threats.

Patrick W. Dunne is a San Francisco writer.

Sources (external links):