The enemy within

Recent high-profile cases in the press have called attention to the threat the trusted insider can pose to the security of an organization. A recent survey highlighted that employees often have access rights that are way beyond the ones they actually require for their roles. Another survey by the University of Glasgow showed the risks posed to corporate data by employees using consumer-based cloud services such as Dropbox.

While many organizations are aware of the threat coming from internal sources, they are often reluctant to acknowledge it as it implies they don’t trust their employees. Another problem is our natural instinct telling us not to trust strangers, and consequently we focus much more on external threats.

In addition to this, the external threat is the one that gets the most media publicity and as a result is easier to “sell” to senior management. However, study after study highlights that an increasing number of breaches are being caused by the accidental or deliberate actions of the trusted insider.

While malicious attacks tend to be rarer than accidental attacks, they can invariably cost the organization more due to their targeted nature. Another thing to consider is that many criminals are now using innocent insiders as a way to gain access to data. This can be achieved by sending a malicious attachment or link via email, and results in the download of malicious software onto the unsuspecting users’ PC, or simply them being tricked into revealing their password.

The current economic climate creates a lot of new risks and amplifies existing ones. Cutbacks in staff numbers or hiring freezes can lead to the remaining staff being overworked, resulting in them potentially making more mistakes. The cutbacks can also result in fewer experienced staff being available to spot a mistake or deliberate act that could lead to a breach.

Other staff, especially those who have had their pay reduced or feel their job is under threat, may be under increased financial pressure which could make them more susceptible to stealing data for financial gain or being bribed to do so.

Staff may also steal specific data, such as customer lists, intellectual property or other sensitive business information as a “safety net” in the event they lose or change jobs as they feel having this data may provide them with an advantage when applying for or starting a new role. Finally, if a company is undergoing financial cut backs and redundancies are on the horizon, some staff may resent this and see stealing data as a way of getting revenge on the company.

So, how should an organization deal with the insider threat? The best way is to identify your key information assets, where they are located and who has access to them. Then you need ask yourself whether all the people who have access to that asset really need to have it, and whether their access rights are at the appropriate level. This is an exercise that should be done regularly.

You should also actively monitor and review your security logs and audit trails for any unusual activity or logins. Make sure that staff members are aware of the insider threat and the damage insiders can cause to the organization and potentially their jobs, so they can be vigilant for unusual or suspicious activity. Remember to keep staff aware of any new threats, such as new viruses or phishing emails, so they can be identify potential attacks or data losses.

Too often we read about a security breach that can be linked back to a former employee’s account that was not deleted or disabled when he or she left the organisation. So remember to ensure you remove access to systems for staff that have moved on from the company or have been made redundant.

While it is not comfortable to think of a work colleague being the source of a security breach, it is a real threat and one that needs to be managed properly. Remember, in security as in all parts of life, it is always the people you trust the most that have the potential to hurt you the most.

Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.