Comment: Stopping Employees from Stealing Your Data

Encrypted information is often exempt from some of the more punitive notification requirements, says Credant's Sean Glynn
Encrypted information is often exempt from some of the more punitive notification requirements, says Credant's Sean Glynn

Information is one of the primary competitive weapons and business enablers for organizations of all kinds. The ability to provide the correct information to educate workers has driven a proliferation of information sharing, but with it has come significant risk.

The actions of users who intentionally or accidentally cause damage to an organization is now one of the most complex and difficult-to-manage problems facing IT security teams. So, how can you prevent malfeasance by the people you are suppose to trust? This article examines some of the important aspects of insider threats and offers guidance to reduce the risk.

While much has been written on the subject of the insider threat, it still remains one of the most contentious and difficult-to-manage areas of information security policy. It goes against the grain to believe an employee is capable of stealing information – yet it happens anyway.

How big is the risk from insiders?

In short, the risk depends greatly on what we define as an insider attack and the role that insiders play in breaches. The 2010 Verizon Risk Team Data Breach Investigation Report states that almost half (48%) of studied breaches are caused by insiders (an increase of 26% over 2009). As our understanding of the role of insiders in data breaches develops, so does our understanding of the complexity of attacks facing organizations and the difficulty in maintaining the balance between free information flow and good security.

Understanding the insider attack

At the most basic level, there are two kinds of insider attack: malicious and non-malicious. 2010 statistics from The Open Security Foundation found that almost three times as many breaches are caused by accidental insider activity than malicious intent. In fact, non-malicious breaches will often occur through normal information use, and especially through avenues such as email, loss of laptops or storage media, and exposure to non-authorized parties within the organization.

As users carry increasingly large quantities of information on mobile devices, the risk of accidental breaches will continue to rise. Statistics show that enterprise organizations lose large numbers of laptops every year, and in 60% of the cases the device is simply misplaced by the owner.

While non-malicious insider breaches are a growing concern, most security organizations are primarily focused on preventing the actions of malicious insiders. A malicious insider can, and often will, cause damage over a long period of time, and may also be a significant contributory factor in external breaches too. In CERT's “Common Sense Guide to Prevention and Detection of Insider Threats”, the authors identify four types of malicious insider attack:

  1. Attacks aimed at sabotaging IT resources (often out of a desire for revenge)
  2. Attacks that steal (or modify) information for financial benefit
  3. Attacks that steal (or modify) information for business gain
  4. A miscellaneous group of attacks associated with unauthorized access, but not necessarily for personal gain

Attacks aimed at sabotage and those for financial gain make up the bulk of the cases the authors examined. However, given the difficulty of tracking when sensitive information is stolen and handed over to a competitor, it is entirely possible that thefts for business advantage are under-represented in any study.

Avoiding the insider attack

The challenge of managing risks and reducing the likelihood of an insider attack is that it requires a close correlation between technical information, security controls and human resources and management. This need for the intersection of the human element with monitoring and other controls is precisely what makes insider attacks, especially malicious ones, so difficult to detect and prevent.

In the previously mentioned CERT whitepaper on preventing insider attacks, the authors suggest 16 practical measures that can be adopted to help reduce risks from malicious insiders:

  • Consider threats from insiders and business partners in enterprise-wide risk assessments
  • Clearly document and consistently enforce policies and controls
  • Institute periodic security awareness training for all employees
  • Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process
  • Anticipate and manage negative workplace issues
  • Track and secure the physical environment
  • Implement strict password and account management policies and practices.
  • Enforce separation of duties and least privilege
  • Consider insider threats in the software development life cycle
  • Use extra caution with system administrators and technical or privileged users
  • Implement system change controls
  • Log, monitor, and audit employee online actions
  • Use a layered defense against remote attacks
  • Deactivate computer access following termination
  • Implement secure backup and recovery processes
  • Develop an insider incident response plan

Although these points are focused on dealing with intentional attacks, some will also reduce the risk of accidental incidents.

In support of these initiatives, encryption software can play a key role. Encryption presents the capability to render sensitive information unreadable to unauthorized users, and most importantly, once encrypted, the ‘protection’ stays with the data wherever it resides. A further benefit is that it helps enforce tight controls over who can access the information.

Finally, because encryption is highly data-centric, it reduces the value of the information itself (and the liability associated with it) to a third party. An encrypted file on a laptop may contain highly proprietary information, or sensitive personal data covered by one of the many industry and legislative mandates. But if it is properly encrypted, the information remains protected even if the laptop is lost or stolen.

In the event of an incident, encrypted information is often exempt from some of the more punitive notification requirements, and will therefore significantly reduce the cost of an accidental breach. In their 2009 study, “Cost of a Lost Laptop”, the Ponemon Institute reported that the presence of encryption on a lost laptop reduced its cost to the organization by over $20,000.

Addressing the threats from insiders is always an emotive subject. While organizations will always want to hire trustworthy employees, it is an irrefutable fact that accidental breaches occur with startling regularity, and that a single, well-motivated malicious insider can cause immense damage.

The nature of the interaction between IT and business units is also changing, fuelled in no small part by the availability of maturing cloud offerings. As a result, the complexity and nature of the insider threat is changing as well.

Although no single technology can ever provide complete security, encryption will continue to play a central and pivotal role in both reducing the risk of a breach and limiting the damage to your business, should one occur.

Sean Glynn is the director of marketing for Credant Technologies. Glynn has over 17 years of experience in IT, focusing for the past several years on developing and bringing to market security solutions to meet customers data protection and compliance needs. He has a bachelor’s degree in marketing from the University of Limerick, in Ireland.

What’s hot on Infosecurity Magazine?