Sage Suffers Alleged Data Breach From Malicious Insider, What Can Businesses Do to Protect Themselves?

Last week's data breach from the accountancy and payroll software firm Sage seems to have come from a malicious insider, if the arrest of a company employee at Heathrow airport is anything to go by.

Whilst it is still unclear what information may have been leaked, Sage started notifying the affected customers earlier in the month that some of their information, possibly including names, addresses, and bank account details, may have been compromised.  Exact numbers of affected companies and individuals remain unknown, but 280 businesses are thought to have had personal information of their employees compromised.

The first thought for anyone in network security naturally goes to asking themselves the question, "how can I stop this from happening to me?" Whereas firewalls and endpoint protection can protect against malicious software and human-borne policy breaches, little protection exists against an employee with access to sensitive data leaking information.

First, as always, is training.  Employees that understand the implications of data breaches, and how to protect themselves can be a better network security system than even the most advanced protection software.  This advice remains the same for protecting against intentional data exfiltration too.  Employees that understand how seriously their company takes data protection are less likely to run the risk of breaching company policy.  Of course, this won't be true in every case, so given a determined insider, what's next?

Companies need to restrict who's accessing what data.  Locking down sensitive information to only those who need to access it greatly reduces the number of potential leaks.  Not only does this make incident response easier, but a 50% reduction in how many employees can access sensitive data means halving the number of employees that could leak data in the first place.  Tying data access to individual accounts is a must when dealing with data that is considered sensitive, whether it's customer data, company data, or valuable intellectual property held by a business.

There are also internal systems that can restrict how much data is sent from a network, as well as where data can be sent.  Locking down services such as Dropbox, OneDrive, or iCloud Drive can cut off the exfiltration route immediately, the same goes for restricting USB use on client devices.  Proper deployment of policy management can reduce exfiltration vectors across the board, making large external data transfers far easier to see when using network monitoring techniques.

Which brings us onto the last point, using network monitoring systems.  Proper visibility of network activity is the key to understanding data flow throughout a network, as well as into and, crucially, out of a protected network.  Deploying tools that can carry out this task has the dual benefit of finding the attack phase of data-theft malware, as well as insiders intentionally leaking data.  For the more advanced thief, slow leaking of data can also be picked up, often reducing the number of affected customers. Perhaps Sage could have picked up on this activity earlier, and reduced the number of affected customers to double figures, instead of hundreds of them?

Large numbers of businesses around the world aren't equipped for countering these types of threats, our conversations with the market suggests that most UK businesses have no method of detecting authorised personnel leaking data, with a preference in focusing network security on known malware.