I came across an article from Brian Sears on SearchSecurity.com yesterday titled “Security technologies fail to address insider threat management.”He does a very good job of outlining a case for far more consideration of the insider threat when it comes to IT security planning. It is an especially important consideration as he points out that “statistics indicate that most breaches occur at the hands of a current or former employee.”
In my experience there are two distinct categories of insider threats that companies must deal with, unintentional and malicious, and both require unique approaches to counter the threat.
First, let’s look at threats that emerge because of unintentional employee actions. Generally this is caused either by mistakes from the employee or simply through a lack of training and education about proper security policies. Mistakes are hard to prevent all together, but proper procedures and education can prevent mistakes. When that fails, it is critically important to have auditing procedures in place that can catch the mistake and minimize the severity of the incident.
Here are a couple of examples where unintentional actions resulted in sensitive data loss and significant costs to the company:
- Earlier this month in Southern Colorado the social security numbers of over 1,084 Department of Corrections employees was sent out accidentally over email.
- This month a Louisiana State University employee accidentally posted the SSNs of an undisclosed number of students on a publicly accessible website.
Mistakes like these are difficult to prevent. To minimize your risk, establish clearly communicated security policies governing access and use of this data. In addition to policies, implement technologies that control and audit access to this sensitive data. Taking these steps helps employees avoid embarrassing and costly mistakes.
The second type of threat to deal with is an insider with malicious intent whose aim is to harm the company, benefit himself or both. This type of data breach is all too common and there are numerous incidents that point to this type of threat:
- Last month American Express became a victim of an insider attack when an employee stole thousands of AmEx numbers and used them to steal over a million dollars from customers.
- A few months ago an employee of Claire’s Accessories stole the credit card numbers of over 150 customers and used them to purchase over $15,000 in goods.
If you are interested in looking at more data thefts and how they occurred, I recommend visiting datalossdb.org whose purpose is “documenting known and reported data loss incidents worldwide.” You will be amazed at what a large percentage of these incidents are due to both accidental insider exposure as well as malicious insider exposure.
So what can you do? Begin by establishing clear security policies, implement appropriate security technologies and audit trails, and enforce your policies. Brian Sears points this out clearly in his article:
“So what can companies do to help mitigate the human factor in security? In every case companies need to start with well-developed policies that are embraced by senior management then adopted as part of company culture. They need to train employees to understand what’s in the policy and the company’s expectations. Training should be done annually and employees should be required to sign an acknowledgement form indicating they have read and understand the policy.
Policies need to be enforced equally throughout the company; selective enforcement of a policy or simply failing to enforce a policy negates that policy. This will make it difficult to enforce later or result in legal action against the company if an employee claims they have been singled out.”
Addressing the insider threat isn’t easy, but it begins with organizations understanding that this is one of the most likely threats they will experience, and then implementing the appropriate people, processes, and technology controls to mitigate them.
{ 0 comments… add one now }