The Threat from Within

By Jodi Mardesich

CIOs have erected firewalls and expended considerable resources putting security measures in place to prevent intrusion and to protect the theft of proprietary corporate information from malicious outsiders. Yet an even greater and more likely risk to information security is not a hacker or a virus or a worm. It's a careless or malicious insider.

Insider corporate security problems are on the rise, according to the Yankee Group. A survey of 600 companies found that in 2004, half of security problems originated from internal sources, up from 30% the previous year. Another survey, published this year by the Ponemon Institute, found that 69% of data security breaches stemmed from both malicious and non-malicious employee error. Only 16% of serious data leaks were linked to hackers or external penetration.

The need to protect company data -- proprietary product plans and strategies, as well as confidential customer and employee information -- is becoming more crucial. The dangers of information theft are myriad. The leak of confidential information about unannounced products or technologies can alert competitors and impact a company's competitive advantage. Companies stand to lose business if their customers fall victim to identity theft -- an occurrence that is becoming more common. Nine percent of online customers have experienced identity theft, according to Forrester Research Inc. Organizations will suffer bad press when they have to publicly disclose that customer data may have been compromised. And a growing number of state and federal laws require that companies protect private data of customers, sensitive corporate data, and even document the internal processes under which this data is supposed to be protected.

Identifying potential threats

Insiders can be employees, contractors, or partners with access to inside information. Working either alone, or collaborating with outsiders, they have ready access to customer, employee, product and financial data. Insider breaches fall into two main categories: the unintentional and the malicious. Unintentional or accidental breaches can be addressed by designing security policies and enforcing them. All too often, however, insider leaks are caused by a disgruntled employee, working either solo or collaborating with an agent of an external organization.

"Insider threats are the bigger issue because these are harder to detect and often result in more damaging security and information breaches," says Jonathan Penn, principal analyst, Identity and Security, for Forrester Research.

Non-malicious breaches

Non-malicious breaches happen when employees are negligent or do not pay attention to security best practices. For example, they can unwittingly download software that turns their computers into zombie PCs that join armies of similarly infected PCs to launch denial-of-service attacks on Web sites, or that are used to relay spam. Negligent employees not following security procedures might inadvertently allow an outsider to social engineer their way in to be able to obtain a password needed to access a confidential database. Perhaps the most costly form of a non-malicious breach is the theft or loss of a laptop or other mobile device containing customer names, credit card numbers, or social security numbers.

Malicious breaches

It's important to understand the motivations of insiders who engage in malicious breaches. Some breaches stem from revenge, such as when an employee is terminated. Others are motivated by money. A worker terminated from Computer Associates International Inc. may have been motivated by both. Before leaving the company, he copied the source code for a software program and then created a similar program for a competitor. Computer Associates spent years and untold dollars defending its intellectual property in court.

Other motivations are not so clear. Some employees share confidential information for fame or simply for the thrill of it. For example, there are several Web sites dedicated to rumors and leaks about forthcoming Apple Computer Inc. products. Apple has begun suing sites and employees involved in these leaks.

Steps to prevent insider attacks

Hackers devise ways to gain remote access to a network, but an insider with physical access can wreak havoc much more easily. To prevent insider attacks, CIOs should set clear information security policies, secure all mobile devices, and consider installing software that protects against information leaks.

Savvy CIOs will update security policies to address potential insider security attacks by following the following steps:

• Limit employee access to confidential information. Whether information is stored within the physical walls of the company or on laptops and other mobile devices, only trusted employees with a need to know should have access to sensitive information. CIOs need to balance protection with the employees' work environment, however.
• Set policies for terminated employees. The IT department and human resources should work together to ensure terminated employees' data access rights are revoked promptly. CIOs should implement policies for supervising and terminating IT access to former staff members, contractors, and consultants.
• Secure mobile devices. Mobile devices, such as laptops, personal digital assistants, even cell phones, can house sensitive company and customer information. Because they can be a target for thieves, as well as insiders intent on sharing corporate data with outsiders, these devices should be treated like any node on the network. CIOs should ensure each device has the appropriate authentication, access control, encryption, and intrusion prevention to keep unintended eyes from viewing sensitive information. In addition, the appropriate protection software should be installed to keep the device from being infected and then spreading a virus, worm, or bot software when the device reconnects to the corporate network.
• Protect physical access. With physical access, insiders can easily insert a CD into a drive and copy software or install malicious code that allows others on the outside to gain access to the network. Of growing concern are flash memory devices the size of a thumb or a pen that slip into any USB port, primarily because of the large amounts of data they can store -- up to one gigabyte -- and the difficulty in monitoring their use. "Most protection tools are crude and make it difficult to protect sensitive data without totally disabling the port or device and getting in the way of legitimate business uses," says Penn.

Taking further precautions

To protect corporate assets, CIOs should also consider other measures, such as screening employees before hire, paying attention to employee behavior, and installing software to help protect the network.

• Screen employees before hire. For some positions, companies should consider background checks. For example, employees who work in IT, or who have access to customer records, should be screened.
• Pay attention to erratic behavior. Employees with personal problems may be tempted to help outsiders gain entry to a corporate network. For example, an addiction to gambling or drugs could turn an employee into a malicious insider.
• Consider software tools for prevention. Organizations need to consider a wide range of new tools to address the growing insider threat. Several companies have created software aimed at preventing information leaks by monitoring, measuring and protecting information assets. "Products that automate the process of detecting inappropriate information leaks offer good protection of very specific types of data, from databases and file server subdirectories as identified by an administrator," Penn says. "But there may also be many copies resident elsewhere, or subsequently created, and so there's an emerging need for tools to discover and classify information." This whole area of information discovery, classification, and valuation is an aspect of information risk management that is just now getting the attention of CIOs and CISOs, he said.

Careless and malicious workers can inadvertently reveal personal information about employees or customers. Because such actions can result in damage to customers, damage to a company's reputation and share price, and ultimately criminal penalties, CIOs should shore up their security policies and efforts to address this growing threat.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon, Slate, and Yoga Journal.