Training to nullify the insider threat
In the last decade, the security of your information on your networks has been focused on protecting the integrity of data from outsiders. Much of the effort has been based on perimeter security - from outsiders trying to break into the network.
In the days of static information, hardening the outside of the corporation was a great approach. But a static boundary is not the reality that we work in today. There is no one physical place that people always work. Today, the perimeter is porous. The job of the IT department has been to enable that work, not shut it down. So the perimeter is now a set of barriers, around the corporation for certain, but also around departments, workgroups, individuals and even around bits of data.
A real problem - the threat within.
Corporations and other organizations in the United Sates lose more than $650 billion to fraud annually. If you include sabotage, negligence and human error, you have a number that definitely can grab the attention of any boardroom in America. These numbers, from insider activity, are what information security managers need to pay attention to in the same way that they look at outsider threats.
A recent study conducted by the United States Secret Service/US-CERT (U.S. Computer Emergency Readiness Team) showed that "insiders" are mostly male, 17 to 60 years old, half are married and from a variety of racial and ethnic backgrounds. Except for gender, the rest of the parameters point to almost anyone in the workplace.
There is a price that the corporations pay for insider activity. Personal financial gain is not the primary motivating factor in insider cases. Most of the cases arise when an unhappy employee is seeking revenge, or perceives that he has unfairly experienced a negative event. And while a financial motivation was not the driving force behind the act, the study indicates that in more than 80 percent of the time, the organization did experience financial loss.
So, what do you do about those bad apples? In my work with many companies over the past few years, I've seen low-tech, high-tech, policy and process. The answer is that it's a balanced approach that works, if you follow a simple set of procedures.
Classify your documents.
Start your process by identifying your in-house documents. Documents represent strategy, transactions, trends, financial performance and proprietary knowledge. There are any number of security classification systems, however they can be as simple a binary "non-public information" and "unclassified" or highly structured and complex. I like to use the classification scheme as defined by the National Institute of Standards and Technology (NIST). It's well documented and is relatively clear.Classify your network.
It's good to know where the authorized places on the network are. Servers, data repositories, storage devices and in some cases, laptops and mobile devices are where data may reside. If there are places within your network that can be identified, tag them as places that such levels of classified information should be, and places that any information should never be. For instance, you may decide that records should never be saved on a portable "keyfob" device, and those locations should be identified appropriately.
Tag your documents.
Tag your documents in order to connect your policies. Tagging may be done manually, where a group of individuals review and index each document. This is expensive, time consuming, and often error producing. The more accurate and cost effective method to tag your documents is at the time of creation. The document originator is best positioned to determine the scope, place, time and sensitivity of the document. In so doing, that writer is taking only a few additional moments to place tags that can then be reviewed manually or in an automated fashion.
The highest level of tagging is all automated. At the time of creation, the system (network) itself can tag the document with time, date, device, author name, and other indicators that are currently already done - many file systems already do this. A certified system of taking the file system properties, adding additional meta-data, and securing those tags is an approach that I would recommend. In so doing, while you may rely on the document creator to provide the initial tags for a document, an automated system provides the verification of that person's markers, and builds a more extensive set of tags that enhances the work of the author.
Track data flows.
Once tagged, observe the flows. It's important that the system doesn't force employees to interrupt their workflow. If the workflow works, it should continue. The best automated systems today can track where data flows, in the background. As that happens, it learns where the flows are going, and it can update the classification scheme and the previously set location parameters.
Enforce your policies
Once you understand what's happening within your network, you must take action to correct gaps. Your policies and all of the hard work that you did to implement them will be moot, if people don't feel the impact of the program in correcting all types of violations. Fix the unwitting problems and prosecute the willful violators. That prosecution not only stops the breach, but also sets the tone throughout the organization. Your definitive action may be a signal to others, and a sign to regulators and criminal prosecutors that your company takes its responsibilities seriously, and therefore doesn't require "assistance" from judicial or legislative agencies.
In today's climate of increased regulatory as well as competitive pressures, it's easy to focus on the threats to the organization from the outside, and ignore other real threats to the organization from the inside. We must balance our deployments appropriately, between the outside and the inside threat. It starts with the recognition of the problem, and then these few implementation steps in order to keep ahead of the game.
Angus MacDonald is CEO of Mathon Systems.