Preventing Employee Own Goals

Preventing Employee Own Goals

In July 2012, General Keith Alexander, head of the United States spy agency the National Security Agency (NSA) described the theft of intellectual property occurring through cyber-crime as the “greatest transfer of wealth in history.”

But cyber-crime knows no borders, and businesses in the UK and the rest of the world are equally targeted by attackers wishing to steal information that can be resold or used to competitive advantage. While external attackers are often the cause of such information theft, a significant portion also arises from the activities of insiders – either maliciously stealing data or accidentally allowing others to gain access.

Worse, making a distinction between external and internal threats is becoming increasingly difficult and less and less relevant. External hackers are now highly adept at posing as insiders and this change is having a fundamental impact on how CISOs approach security planning. At the same time, it’s an uncomfortable truth to accept that there are also bad actors within companies that are intent on doing harm to the business.

As a result of these dual threats of malicious employees and internal “external” threats, the best attitude for CISOs to take is to assume that they have already been breached. The most secure organisations in the world have fallen victim to data breaches from employees and persistent and well-trained attackers. While employee breaches may occur on a one off basis, the statistics show that once in, external attackers make themselves very much at home – often operating for a year or more posing as insiders – gathering and stealing valuable information.

So the best defence is to assume threats already exist within an organisation and work from there – monitoring and looking for anomalous behavior and changes to systems that could indicate they are being used as part of an attack.

The latest Verizon Data Breach revealed some interesting insights and context to the problem of employees committing data breaches. One of the headline figures was that 14% of data breaches had been committed by organisation employees. This figure illustrates the very real threat that they pose (intentionally or not) in exposing data. In addition, the report revealed that there are certain circumstances where employees pose an even greater data breach threat.

The report highlighted that in 70% of company intellectual property theft cases, company insiders steal the information within 30 days of announcing their resignation. Such statistics reveal the value and importance businesses should attribute to monitoring privileged users. While the vast majority of employees abide by corporate rules, there is a small minority that may damage a business if they have the opportunity to do so.

A considerable amount of the data businesses hold may now fall under data protection regulations governed by bodies such as the Information Commissioner’s Office (ICO), which is increasingly punishing companies for the loss of data.

In order to avoid a breach and the penalties that go with it, one of the most important things any organisation can do is to ensure that only those with a business need can access sensitive information, and that the information is protected appropriately, ensuring that compliance obligations are met. Part of the challenge, though, is that employees often begin with very limited rights to access information, but over time acquire more and more “privileges” without those rights ever being revoked.

Employees with privileged user status needs to be monitored and managed far more carefully to ensure that they aren’t abusing those rights, or that an external attacker isn’t posing as a legitimate user to steal information. Businesses that are able to monitor activity of privileged users will be better able to spot and prevent outsiders getting in through the back door and accessing valuable resources.

A combination of real-time security monitoring tools, good access management processes, and documented access rights can significantly reduce the risk of breaches. These give IT teams the ability to quickly identify potential threats, and then take decisive action to disrupt or stop the threat, before serious harm can occur.

While taking this approach of more focused monitoring and better access controls is important now, it becomes even more so to help businesses better manage some of the big challenges they will face when their IT infrastructure becomes both more mobile and moves up into the cloud. By focusing their efforts on monitoring user activity, they are less dependent on device-centric thinking that will ultimately be unsustainable as more and more of their IT platform moves out of their control.

Businesses need to be monitoring their resources in real time to ensure that they are aware of any unauthorised activity that employees are undertaking and can act quickly to stop a data breach from occurring. Employees need to be trusted to get on with their jobs, however, modern businesses need to ensure that they have processes in place to ensure that they minimise the risk of data breaches, whether deliberate or not. And if they do experience a breach, recover as quickly as possible. With effective access governance processes in place, business can ensure employees don’t score own goals.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Geoff Webb

Geoff Webb has over 20 years of experience in the tech industry and is the Director of Solution Strategy at NetIQ. He is responsible for all aspects of defining and communicating how the company solves major challenges that organisations face in light of major disruptive trends: cloud, mobility, social identity and others and how NetIQ solutions for identity and access, security and IT operations management enable successful outcomes. Previously, Geoff also served as a senior manager of Product Marketing at NetIQ, and held other management positions at FutureSoft, SurfControl and JSB.

  • Webb highlights a critical issue in this article: making a distinction between external and internal threats is becoming increasingly difficult and less and less relevant.

    Whether due to complacency or naivety, the vast majority of organisations have failed to adapt security processes and procedures to reflect the changing threat landscape. As Webb highlights, growing numbers of data thefts are inside jobs where users are ‘over privileged’ in terms of rights and permissions to roam the network and steal data. However, the other significant knock-on effect from these over-privileged users is that they will also be empowered to do far more damage to the organization if they fall victim to a phishing attack or other malware infection.

    In this scenario, it is absolutely critical that organisations start embracing a higher level of best practice and governance in security processes and procedures; but they also need to include an extensive internal defence.

    Organisations need a completely infallible way of detecting the presence of malware. This ideally needs to be a real time alert triggered by any change to file structure that might indicate compromise or the beginning of the slow move towards the central core of the business.

    File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; it raises an alert related to any change in underlying, core file systems – whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised past the AV defences. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.

    The fact is that every business is at risk at all times and defences and detection mechanisms must be implemented on the assumption that traditional firewall and AV measures are fallible – and that the lines between the external and internal threat are now intrinsically blurred.

    Mark Kedgley, CTO, New Net Technologies