The Threat from Within

Tuesday, October 06, 2009

Sandra Avery


Times are tough.  Now, more than ever, organizations need to be extra vigilant about protecting the data on their networks.  With identity theft  at an all time high, and data breaches disclosed almost daily, the stakes are incredibly high.    

There is much emphasis on protecting data from hackers, phishers, and external threats, but what about internal threats?  Who’s watching out for those? Employees are a huge risk to every organization, yet companies often get by on doing the bare minimum when it comes to minimizing the risk that internal threats pose. 

It’s a game of Russian roulette that has gone horribly wrong for some organizations.  In May of this year, John Hopkins Hospital in Baltimore warned more than 10,000 patients about the possibility of their personal data being stolen by an employee working in the hospital’s patient registration area.  In March, Sprint also found itself the victim of a rouge employee.  Someone had accessed and possibly sold account data belonging to several thousand customers. 

But what about those employees who aren’t out to intentionally harm the companies they work for? (Remember the bank employee that emailed sensitive loan documents to the wrong gmail account?)  Human error is also a huge threat to the security of a company’s data.    But there’s no easy solution.  Employees need to have access sensitive information in order to perform their jobs, and further eliminating or restricting access is not an option in some cases. 

So what’s an organization to do?  For starters, they need to acknowledge that internal threats are not only legitimate, but they have the potential to be catastrophic in terms of brand damage and restitution.  Once they’ve made that acknowledgement, they need to prepare to execute some important changes within the organization. 

First, companies need to breed a new culture of security awareness among all employees.  Security Awareness training needs to be mandatory for everyone the way that sexual harassment training or ethics training is.  Chances are, one would be hard pressed to find an employee that didn’t know what constitutes harassment in the workplace, but finding someone that knows what HIPAA stands for and who it applies to would prove to be much more challenging.  But just like sexual harassment lawsuits are expensive, lawsuits related to data breaches and data theft can be equally as costly.  Organizations need to educate everyone on what’s acceptable, what’s not, and how to minimize the risk of accidental exposure. 

Next, yearly audits and risk assessments must be taken seriously.  Audits present an opportunity to correct any inconsistencies in existing processes that could potentially expose the organization to a higher level of risk.  Most IT folks regard audits as the equivalent of a root canal, but much value can be derived from objectively exploring audit observations.  Does your desktop support guy really need access to the datacenter?  Do the DBAs all require domain admin privileges?  These are minor tweaks that usually won’t have an impact on operations but make a big difference in terms of risk. 

Lastly, tools are also important for mitigating internal risk.  With shrinking budgets and pressure to cut costs, managers are finding it harder to justify purchasing hardware and software aimed at securing the organization, but certain tools are necessary and should be procured in order to maintain an acceptable level of security.  Data leak prevention software and logging and monitoring devices are essential for mitigating internal risks.  Knowing what type of data has left the organization and through what channel could possibly stop a breach before it actually happens.  The benefits of identifying activity that is “abnormal” and receiving real time alerts when certain actions take place are monumental.  Companies often go for months without knowing they’ve been penetrated.  They spend even more time trying to assess the damage.  While the price tag on DLP software or a SIEM appliance can be expensive, the investment is worthwhile.  These resources provide assurance and make it easier for security staff to minimize internal threats.   The security department needs to educate senior staff on how procurement of these tools are in the best interest of the company, and make the case for them. 

Internal threats are often ignored or underestimated by organizations, but they pose a real threat to the security of their data.  Now is the time for companies to get serious about reducing the risk that their own employees bring.  Incorporating these simple steps into the overall strategic security plan for the organization will pay off quickly and in a big way.

Possibly Related Articles:
Enterprise Security
Insider Threats Risk Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.