|How can you stop insider breaches?
Whether they’re whistleblowers or careless or malicious employees, it comes back to minimizing risk - yet most do not. Ernst & Young’s 12th Annual Global Information Security (2009) survey of nearly 2000 IT leaders, found that despite concerns about departing ex-employees, only 26% had measures in place to mitigate insider risk. That is, despite knowing the risks, 3 out of 4 organizations left them wide open.
Cappelli says ‘HR knows that they are a problem. Someone needs to tell the information security staff, so that they can look in your logs and see what this person has been up to.’ However, by the time you check the logs it may be too late: the data may gone and the employee, too.
Insider fraud or theft is hard to detect, which is why many organizations invest in Data Loss Prevention (DLP) systems, hoping they will be the magic bullet. However, their effectiveness has been questioned:
• Nick Selby, senior analyst with the 451 Group, says: ‘Enterprises don’t know where their unstructured data is, let alone where their sensitive data is. Putting a box at the gateway doesn’t solve the problem, but highlights it.’
• Security specialist Rich Mogull is less polite: ‘The concept that you can run around, analyze, and tag your data throughout the enterprise, then keep it current through changing business contexts and requirements, is totally ridiculous.’
You can however, take some simple steps to reduce your exposure from inside:
1. Nail down the security basics
Deliberate insider data breaches, including of the WikiLeaks type, mostly occur because of careless IT security principles and processes, such as:
• Users have more privileges than they need (especially C-level executives);
• USB thumb drives and optical devices aren’t blocked on user networks;
• Sensitive data is stored unencrypted or in unsecure places; and
• Common-sense security controls aren’t in place or kept up-to-date.
According to an IDG survey, 63% of loss is not malicious; most is due to carelessness, mistakes or poor training. Think again of the thousands of laptops, DVDs and USB sticks left in airports, executive lounges and cabs, containing unencrypted corporate data. Putting practical security policies in place, and making sure they’re enforced, will significantly improve Data Security in any environment.
Securing the network is an important step but the easiest first one is to enforce policies for taking data off the premises, such as:
• Who is allowed to access data remotely, and with whose prior approval?
• How is data protected - particularly on non-corporate assets?
• Controls like encryption to ensure that data isn’t lost, stolen or tampered with; and
• Controls for employees handling mobile devices like laptops and PDAs.
2. Look out for signs
The 2010 Verizon Business Data Breach Investigations Report found that, in 9 out of 10 incidents, companies had logs available at the time, yet in only 5% of cases discovered the breaches. The report sums up, ‘... if the organizations we’ve studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher.
If your greatest exposure may be when employees are about to leave, it’s a good time to be vigilant, but not then only: you should be inspecting your event logs for signs of non-compliant or suspicious activity, routinely and diligently.
3. Employ smarter systems
Threats from inside aren’t any easier to anticipate. You could monitor all employees who are about to leave but they may have acted months ago, or it may others who are planning to steal. However, unusual behavior can be an early warning. For instance, if a specific employee’s working late, coming in on weekends, accessing or copying sensitive data is unusual, he may be planning his exit - or not. Either way, you need to know.
This is why security systems based on behavioral analysis (such as Behavior Anomaly Detection (BAD)) can provide both early warning and early prevention. For instance, if someone were unusually downloading ‘truckloads’ of documents from a server, this behavior would be detected as both suspicious and risky. Similarly if a breach were accidental (such as opening a spear-phishing email) yet caused suspicious activity (such as exporting data to an external URL), BAD would detect this too.
The limitations of rules-only technologies come into sharp focus in the context of insider breaches. Firstly, the informed insider will know the rules and how to evade them. Secondly if a privileged user routinely accesses sensitive data, this access would break no rules, so no alert would be raised.