The latest example, the taking of sensitive data by a former ComputerShare employee using a USB drive, highlights the need for effective controls to thwart insiders, explained Jim Zierick, executive vice president of product operations at BeyondTrust.
“Unfortunately, it is all too common that insiders, trusted employees, end up doing extremely bad things, either inadvertently or maliciously, with key company data. While a lot of the focus in the industry is around outside threats, the hacker, the virus, what we are finding is that companies are increasingly realizing that the insiders who have privileged access to their critical systems and data are in many instances bigger threats than outsiders”, Zierick told Infosecurity.
Regarding the ComputerShare breach, Zierick said that “apparently what was lacking here was the monitoring to know that the employee had moved the data and the controls to prevent her from doing that. That is what leads to problems.”
Brian Anderson, chief marketing officer at BeyondTrust, has written a book along with John Mutch analyzing the threat from insiders. The premise of the book, Preventing Good People from Doing Bad Things, is that too much time and money has been spent on outsider threats, he explained.
“As organizations start to deal with this, they realize that the significant challenge is the insider. In a lot of cases, it is not just the intentional misuse of that privilege…but it is also the average employee who does accidental things”, Anderson told Infosecurity. “Accidental misuse of privilege can cause significant problems”, he added.
Accidental misuse of privileges by an employee can open the door for outsiders to breach the company’s network. “If someone inside has administrative rights, and someone outside commandeers those rights, then it looks like the employee is doing the harm, when in fact it is an outsider using the insider as a puppet”, he explained.
The costs to organizations from insider threats are significant, perhaps millions of dollars per incident, because “the insider knows where to hurt you the most”, he said.
Anderson advised organizations to give employees only the amount of privilege needed to do their jobs, known as the least privilege approach. “Nobody should have omnipotent access rights to a server, a database, or a desktop computer”, he stressed. “Rank does not mean privilege."
The book advises organizations to enforce data loss prevention policies that prevent end users from copying certain types of data to USB drives, and keystroke logging can alert the company if multiple attempts are made to copy this kind of data.