Insider threat grows as new wave of job cuts loom

When NTA Monitor first started security testing, organisations perceived the main focus to be protecting themselves from the insider threat. During the last fifteen years this has changed and businesses have become more and more concerned about defending themselves from external attacks via the Internet.

However, with considerable job losses predicted this year, the risk from the insider threat to information security grows as employees are more likely to want to take data to help them with a new job or - less frequently - to maliciously pass onto competitors for financial gain.

In the majority of cases there may be no deliberate intention to cause harm or damage to the organisation, but the risk posed by an internal attacker is potentially more worrying because they are far more likely to be able to disrupt commercial activity or successfully obtain critical business data.

An employee already has a valid system user status and with many companies failing to regularly monitor staff activity or, more concerning, not knowing where sensitive information is stored, or who has access to it, the risk of an internal attack becomes significantly greater.

Roy Hills, NTA Monitor founder, said: "If someone doesn't have the technical expertise, it can be far easier, for example, for a criminal gang, to have someone in an organisation or on the shop floor than to attempt to hack a network.

"If there are weak physical security or data loss controls within a company, it makes the insider's job so much easier."

Reducing the risk is simply about knowing what is going on where on the network. Classifying data based on how sensitive it is and undertaking a risk assessment to determine what security controls are needed to protect the most sensitive data are crucial first steps in helping to minimise the insider threat.

Understanding that different types of information will need different security controls will assist in meeting any regulatory or compliance standards that an organisation may have to adhere to. Segregating the network with firewalls along business lines will prevent excessive privilege access and stop employees extracting information that is beyond their 'need to know'.

Having some idea about what information is being accessed, and therefore possibly lost, is important. Recording what information is stored where, including portable devices, will help organisations determine how at risk they are. For example, according to research by Avast, USB devices play a part in one out of every eight attacks - so with this in mind keeping an accurate log of who uses a portable device becomes vital.

Deploying data loss prevention (DLP) technologies may assist with countering the risk of accidental or deliberate disclosure of information, but they often do not minimise the human element of an insider threat. If someone who holds the encryption keys leaves, then the network security may be compromised. Adopting a split knowledge and dual control strategy would prevent this from happening.

Perhaps the most important element in minimising an insider threat is to tackle it at the recruitment process and in the company's training policy. Carrying out background checks on a new recruit and regularly providing staff with the relevant security training so that they understand the risks and how to work as securely as possible is critical in maximising employee understanding of the potential threat, and therefore preventing an internal attack from ever taking place.

Tips on how to minimise the insider threat

1. Encourage HR to adopt a screening process at recruitment stage, and to regularly check existing staff appropriate to the requirements of the role 2. Manage and audit list of removable devices and log any losses 3. Filter outbound traffic and enforce and monitor stringent policies on email usage 4. Ensure physical security of server rooms 5. Encrypt back-up media 6. Document nature and location of business critical information and Personally Identifiable Information (PII), detailing who has access to it 7. Carry out a risk assessment and detail standards on audit trails for access to PII 8. Clearly define controls on authorisation and authentication procedures 9. Implement careful management of the user de-registration process 10.Manage and update matrix of user roles and responsibilities mapped against their required access to PII
This article features in the current issue of our newsletter From the Perimeter. Sign up to From the Perimeter for the latest industry insight and comment.

This article was first released on: 25th January 2011