Regardless of how one feels about the information disclosed in the leak itself, the Uber Files provides some very stark lessons on insider risk that organizations and their security teams should take to heart.
Risk Lives for Longer Than You Think
First, insider risk can have a much longer half-life than many organizations plan for today. In the case of Uber, the leaked data was more than six years old and obtained by a former top executive who worked for the company until 2016. The executive was at the time an active participant in the very practices that he would eventually expose years later. And this underscores the important point that people and their motivations can change over time, and how they treat data tomorrow may be entirely different from how they treat it today. And once an organization loses control of its information, there is no getting it back.
This longevity of risk to data that leaves the control of an organization is true for a wide range of threats beyond leaks and whistleblowers. Many organizations are rightly concerned about employees taking intellectual property and trade secrets with them when they change jobs and move to a competitor. Organizations often think of this risk in the following scenario: an employee decides to jump ship to a competitor and goes to download the company’s crown jewels before walking out the door. And while this scenario of a knowingly malicious insider certainly DOES happen, it is far from the whole story.
Much like the Uber executive, insiders naturally have access to a wide variety of data in the course of doing their jobs. They may take this data out of the company in a variety of ways without malicious intent, such as uploading data to a personal Google drive to have easier access on their personal iPad or saving it to a USB to more easily work on a project from home. The user could move to a competitor months or years later and be tempted to reuse the data either for a leg up or simply to get a new project done faster. And while there was initially no malice intended by the user, the damage is the same. The user’s circumstances changed, but the risk was always the same.
This example highlights why it’s critical to proactively manage insider risk to prevent the data from leaving the company’s control in the first place. Once the company loses control of the data, the only difference between a risk and a breach is a former employee changing their mind.
More Data is at Risk Than You Think
The Uber leak also highlights the diversity of data that can damage an organization. Included in the over 124,000 files the former Uber executive shared with the media were internal communications sent via emails and messaging apps such as WhatsApp and iMessage. Other types of information included presentations, financial invoices, and various types of internal documents.
These types of data are often poorly controlled for a variety of reasons. Intellectual property and internal communications don’t obviously stand out as valuable in the way that customers’ credit card or social security numbers do. This type of information also passes through many hands, being copied and pasted and shared in various ways. Information moving through the organization naturally spreads beyond the circle of users that it was intended for. Furthermore, many of the apps that are used to share data such as Google Drive and WhatsApp use end-to-end encryption and certificate pinning that prevents security tools from inspecting the content.
These realities are forcing organizations to update their approach to insider risk. Instead of protecting data by exception, organizations must be able to see and control the risk of virtually any type of content or information. This requires a visibility into insider risk that truly understands the life of data and how it is used and transformed as a part of business workflows. Instead of identifying important information based only on its content, organizations must be able to track any data based on what it means to the business – where is the data from? Who has used or shared the data? What ways should it be shared and with whom? Who has access to the data?