The dangers of insider threat
Whilst the media seems pre-occupied with the problems of cybercriminals causing problems for organizations from outside their network, a survey just published shows that 23 per cent of UK employees will take customer lists and other sensitive data when they leave their employer.
“More than anything, this highlights something we’ve been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicized external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled,” said Amichai Shulman, CTO of Imperva.
In addition, the survey shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed – staff also need to be monitored during their employment as the information may not necessarily be “maliciously’ downloaded after the termination notice but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT team.
According to Shulman, this scenario is similar to the scientist at DuPont who claimed ownership at the formulas he discovered and was part of his work portfolio to be presented at his next company, despite the fact they were allegedly worth $400 million. In general any documentation that is not explicitly marked as public should be considered sensitive and proprietary by all.
The problem with the insider threat in this case, the Imperva CTO says, is drawing the line between what is company intellectual property and what are your skills that you have established over the years. There should be a clear distinction between an employee’s claim regarding the ownership of certain knowledge and the ownership of any materialized form of that knowledge. I’ll give two examples. In the Dupont example, I don’t believe that the employee had any true legal claim regarding the knowledge and most certainly should not be allowed to take the documents with him. In the case of a contact list, there is probably much truth in the fact that these relationships are the employee’s “core competence” (much like a programmer’s coding skills obtained during his employment period). However, retrieving the list of contacts from a company database and storing them to a file should be considered illegal.
Shulman says it is interesting to note that the survey also asked workers what they would do if they were inadvertently granted access to a confidential file – such as one containing salary information, personal data, or plans for a pending merger.
The survey revealed that only 57 per cent of UK respondents would look at the file. This figure is surprising as I would have thought that that 99% of people accidently stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty. However, employers still need to be cautious as this shows how existing employees can be considered a snooping risk.
“The moral here is that you must secure all your company data and only allow authenticated plus logged access on a carefully controlled access basis,” Shulman said.