The new employee in human resources. The long-time company loyalist in the finance department. The temp working nearby. And now, more contract employees brought on to save on costs associated with hiring full-time staff.
For IT pros charged with protecting a company from insider loss or theft of critical data, each of these employees is a potential risk — even the ones who are far from looking like the stereotypical disgruntled employee.
And besides intentional insider theft of sensitive data or simple error that leads to exposures, corporate security practitioners have still additional threats to which they must pay attention. With the help of readily available tools on the internet and a trusted insider looking for a cut of the take, cybercriminals have plenty of methods at their disposal to steal crucial money-making data. Phishing emails, portable storage devices like iPods and USB drives, or other attack tools — along with some inside assistance — can make it that much easier for cyberthieves to get their hands on corporate info for either use or resale, according to many experts.
On top of these threats, companies that provide customers with convenient home-based services — and give third-party vendors access to sensitive information from multiple locations with little oversight — are unintentionally placing themselves at increased risk of an insider-prompted breach, according to Sam Curry, vice president of product management and product marketing at RSA, the security division of EMC.
“Companies are looking to roll out more services and to get more out of their data, and the big obstacle to that is security. First, the data is more mobile and second, the bad guys are more organized,” he says.
The case of Gary Min, a former DuPont employee who was sentenced to 18 months in prison after he pleaded guilty to stealing more than $400 million in trade secrets, is a much-cited example of a corporate insider gone wrong. Once a high-ranking scientist at the Delaware-based company, Min attempted to take his wrongfully accessed information to his new employer.
However, a careless employee can be just as dangerous as a vengeful one. A worker who brings a laptop home, disregarding company policy, or leaves it in their automobile, could be placing the personal information of millions of employees or customers at risk. While yesterday's criminals were after the laptops themselves, today's bad eggs realize the importance of the data stored on them, according to Ted Julian, VP of marketing at Application Security, Inc.
“The bad guys have gone pro, and they're after data that they can sell, and that's what's driven the north-of-250-million records compromised over the past two years, and it's also triggered a change in tactics in what they're targeting and their methods in targeting that data,” he says. “The dilemma that enterprises face: it could be the well placed attacker, it could be the rogue insider with an iPod, and it could be that the insider has an accomplice, or it could be the employee who unwittingly gets phished.”
Some business trends intended to help corporations save money and personnel power may have an unintentionally harmful effect on network and data security. The increased use of third-party vendors has changed the definition of who are considered insiders by security professionals, according to Ivan Arce, chief technology officer at Core Security Technologies.
“Another problem is [the question of] who's an insider, because there are so many initiatives that you outsource, you don't know who's an insider and who's not an insider anymore,” he says. “In terms of protection, you can see that the industry is reacting in certain ways — NAC, policy enforcement — and, on the other hand, you can see a whole bunch of other things with productivity and identity management. You see different attempts at addressing the problem, but none of them that I know of are the silver-bullet solution. There is no technology solution by itself.”
Cybercriminals also have a number of new advantages when launching insider-based attacks. Attack technologies are readily available on the web, meaning that virtually anyone, aided by a well-placed associate with access, can launch a successful insider attack on a company, says Steve Davis, consultant at Mandiant, an incident-response organization.
“They're becoming a lot easier. It's not even a penetration test. It's really just going on the internet and running a tool and you're done,” says Jones. “All you have to have is the internet.”
The relative ease of pulling off an insider-aided attack, along with the myriad reports of data loss on the front pages of newspapers and websites, indicates that most IT professionals are aware of the threat posed by a disgruntled employee. For them, a bigger challenge is convincing a corporate executive in charge of the company purse strings that employee monitoring is just as high a priority as other threats, says Julian.
“Everybody is aware. I don't think awareness is the issue. I think it's constrained budget and the difficulties of changing priorities. It's not an easy conversation to have to go to a CEO and say that the $3 million we spent last year isn't relevant because the threats have changed,” he says. “Another trend I highlight is that [IT pros are] tying this to compliance budgets, because those are budgets you can quite easily drive for.”
With challenges such as tight budgets, the use of third parties, already constrained internal resources, and more proficient cybercriminals, IT professionals require a multifaceted response to insider threats. The best way to combat insider risks is to employ sound technological offerings, end-user education and policy enforcement across networks, says Ellen Libenson, vice president of product management at Symark, an identity management vendor.
“I think people are admitting to the fact that this is a pretty big problem. Unfortunately, it is a problem that if they institute best practices they could get rid of a lot of these instances,” she says. “We like to think we can trust everyone around here, but we have these super users who can do the most harm. I'm not saying don't trust them, but it's the old Ronald Reagan thing: trust, but verify.”BY THE NUMBERS:
Source: The Confessions survey: Office workers reveal everyday behavior..., conducted by RSA, the security division of EMC, during October and November 2007 in Boston and Washington, D.C.
- 35% of respondents felt the need to work around established security policies to get their job done.
- 63% send work documents to personal email addresses to access them from home.
- 87% work remotely over a virtual private network (VPN) or personal or corporate webmail.
- 56% have accessed their work email via a public wireless hotspot, such as from a Starbuck's.
- 52% access their work email via a public computer, such as from a public library.
- 34% have held a secured door open for someone at work that they did not recognize.