Protect your business from insiders
Protect your business from insiders: Manage the people threat
by Keith Chval and Ben Bradley
Virtually every piece of data worth stealing is stored electronically. As a result, employers must balance access to information with their responsibility to protect those assets from misuse.
While it is difficult to protect electronic assets against the actions of determined insiders, a few common sense proactive measures can reduce the risk that rogue insiders will be able to compromise your data. At the same time, you can position your enterprise to quickly and effectively respond should such an insider manage to access your data.
Keys to the Kingdom
Insiders pose the second greatest threat to cyber security, according to the 2004 E-Crime Watch Study, conducted by CSO magazine, the U.S. Secret Service and the CERT Coordination Center at Carnegie Mellon University. Among cyber security experts who responded, 37 percent said hackers posed the greatest cyber security threat, followed closely 29 percent who saw insiders as posing the greatest threat.
Let’s start by defining what we mean by an insider.
An insider is an individual who enjoys a trusted status with your enterprise – a former employee, a current employee, a contractor, a customer or even a vendor acting on motives that are inconsistent with the best interests of your enterprise. The potential motives are many – a missed promotion or salary increase; a belief that an employee can make better money elsewhere, with your client list; or simply an individual caught up in criminal or inappropriate conduct who uses your resources to do so. Regardless of motive, the end-result is that a rogue insider is committing acts that jeopardize the livelihoods of you and the other stakeholders of your enterprise.
Especially in an information intensive business, a rogue insider can threaten your livelihood in many different ways. It’s not difficult to imagine the enormous damage to your enterprise if your customer list disappeared, your competitors received a copy of your marketing plan, all your files disappeared or you had to scramble to rebuild your network.
In every case, the impact of all these things can be exponentially greater than simple lost productivity. In most of these cases, the damage would be hard to calculate. Damage to your reputation, lost revenue, and lost opportunities don’t even begin to describe the mess a rogue insider can make.
Because of their trusted status, insiders literally hold the keys to the company kingdom. With a simple login, a rogue insider can wreak havoc in no time – even long after he has physical access to your facilities. For management, the idea that a single person can access and control the entire network from a corner Starbucks anywhere in the world should be a source of great concern.
The first step of the process to protect yourself from the damage that can be caused by a rogue insider is identifying your key informational assets, and then systematically determine who needs to have access to that information and for what purposes. With this information, you would then begin developing and implementing policies and procedures to provide the necessary access to that information and the related systems, while at the same time building in security and monitoring measures appropriate for the level of sensitivity that you have assigned to that information or system.
Most experts agree that the IT department is one operational area worthy of extra attention regarding these issues. The heightened knowledge about your systems and data makes the prospect of a “rogue IT insider gone wild†particularly frightening.
Minimize the Human Risk
Many business owners hire new employees and contractors assuming that these individuals only have best of intentions and are of the highest character. It is important to hedge your positive assumptions, with the right technology and the right processes.
“Write your Acceptable Use Policy (AUP) down, make sure everyone knows about it and understands it. An AUP is an agreement between the business and its employees that outlines the terms of Internet and technology resource usage and acceptable rules of behavior. Then enforce it with an even hand,†advises Scott Nelson, president of Employee Management Services (www.eos123.com), a HR outsourcing company located in Burr Ridge, Illinois. Nelson believes protecting your business from internal threats begins with common sense.
Eliminate the expectation of privacy. Let employees know that you are watching and monitoring what they send and view. Content filtering, email archiving, and even simple reviews of internet history can be very useful.
Try to understand what parts of your business are more valuable than others – work to protect those assets with a combination of process and technology.
Instituting effective employee due diligence procedures can also provide your enterprise with an important layer of security. By protecting your valuable information (assets) and technology with strong hiring policy and processes, you address both internal and external threats. In the same way your firewall protects you from threats from outside traffic, an effective employment candidate due diligence process, coupled with periodic post-hire updates, can provide protection from threats posed by rogue insiders.
Mark J. Neuberger, a partner in the Miami office of Buchanan Ingersoll PC (www.bipc.com) goes even further by suggesting that I.T. professionals and contractors be interviewed and hired differently than other employees. “This means their backgrounds are subject to greater scrutiny when recruiting and selecting.â€
Extra Level of Vigilance
When recruiting I.T. staff, a heightened level of background and reference checking should become standard operating procedure. An important consideration in enhancing the due diligence of your recruiting process, is determining who will conduct the checks. Avoid the temptation to assign this critical responsibility to your headhunter. A conflict of interest exists when the person compensated for the placement is assigned responsibility for finding reasons not to hire the candidate.
Neuberger advises that once hired, I.T. employees’ activities and performance be subject to greater degree of vigilance and scrutiny. “There is nothing illegal with this kind of differential treatment so long as the employee understands what is expected and what will happen if their performance does not conform to these higher standards.â€
Once hired, I.T. staff should be monitored and reviewed on a regular basis. Management should maintain a basic understanding of security processes and should consider a regular security audit conducted by an objective third party. This process will show what is on your system, how it is being used and who is using it. Outside objective help may be needed to perform the audit and to insure that all security issues are addressed. Audits reveal the latest vulnerabilities within your network, provide critical checks and balances and often provide remediation guidance.
In addition, identify and watch for the development of “situational precursors†that can often foretell future misconduct by an insider. Most people don’t set out to lead a life of crime or otherwise act in a way that is dishonorable. Typically, this behavior arises when an individual sees no acceptable way out of an unanticipated situation. Examples include financial difficulties, marital problems, or a brush with the law. The trigger may also be an employment-related issue as mentioned earlier in this article, or simply something as mundane as a close associate who leaves the enterprise and entices the insider to join him or her.
Procedures should be instituted to assist you in identifying these situational precursors. For instance, periodic due diligence updates can identify when post-hire financial or legal difficulties have arisen. Requiring managers and HR personnel to notify security when unfavorable performance reviews or disciplinary actions take place are other examples of steps that can be implemented.
Policies and procedures should be designed and implemented to protect your organization should this potential rogue insider succumb to the temptation to solve their problem at your expense. Closer monitoring of e-mail traffic (including content), periodic digital “snapshots†and review of the individual’s workstation, and review of worksite access logs for unusual patterns, are just a few simple things that can be done to protect you and your enterprise’s stakeholders from the damage that can be done by a rogue insider.
Termination Considerations
Terminations should rarely be an unplanned-for event. Typically, a termination comes as a surprise to no one, often foretold by one or more of the precursor events or circumstances just mentioned. Similarly, it’s most likely not news to anyone that a termination, and the period leading up to it, is one of the most frequent periods of employee misconduct.
To protect your enterprise’s digital jewels, you must have in place, and consistently execute, policies and procedures designed to minimize the risk associated with the termination of employment relationships. Naturally, these policies and procedures should be tailored to reflect the varying responsibilities and sensitivities associated with different job functions within your organization.
As you might expect, perhaps the highest degree of security should be employed when the individual facing termination is part of the I.T. staff. The termination process should include measures to ensure that, once terminated, an employee no longer has access to enterprise resources.
The terminated employee’s passwords and access codes should be terminated simultaneous to the employee being informed of the termination. This will require close coordination to ensure that a delayed termination meeting doesn’t result in unintended advance notice through premature access denial. A rogue insider tipped-off to his imminent demise may take that opportunity to quickly destroy or secrete critical enterprise assets prior to the delayed termination ultimately taking place.
In addition, ensure that any new systems that have been implemented during that employee’s tenure have had the default access codes disabled. This should be done as a matter of course, but far too frequently, the unfortunate circumstance occurs where a now-former employee access company e-mail or voice mail systems using previously-established default log in codes and wreaks havoc on the organization, and occasionally the personal lives of its employees.
Similarly, make sure that necessary personnel, including vendors and contractors, have been informed that the employee is now a former employee and is no longer entitled to access to organizational resources and information. This can be done in a sensitive way to avoid undue embarrassment to anyone, and perhaps avoid stirring up a hornet’s nest.
Wrapping it Up
The risks posed by the vulnerabilities inherent in your technologies cannot be ignored by any enterprise. Fortunately, there are realistic, cost-effective steps that enterprises of all sizes can implement that can allow them to continue leveraging technology, while mitigating the risks. Effective policies and procedures for managing the “insider†risk is one such area ripe for attention.
While much of this discussion has focused on an employer/employee relationship in an I.T. department, many of the principles discussed have application to other operational areas within the enterprise, as well as to “insiders†other than employees, as defined at the onset of this article. Due diligence, vigilance for “precursor situations,†and management of the (relationship) termination process should be applied equally to all “insiders.â€
Managing the insider risk to your enterprise’s informational assets, by hoping for the best and preparing for inevitable, you can avoid the worst, and in the process, add value for yourself, your enterprise, and its stakeholders.
ABOUT THE AUTHOR
Keith Chval is a principal with Protek International (www.protekintl.com), a computer forensics, litigation support, and investigations firm, and a member of the law firm of Connolly, Ekl & Williams PC, both Chicago-suburban based. From April 1998 to June 2005, Chval served as the Chief of the High Tech Crimes Bureau with the Illinois Attorney General’s Office where he conceptualized, implemented, and supervised this specialized unit serving as a statewide legal and technical resource for prosecution, investigation assistance, forensics services, and training to federal, state, and local law enforcement and prosecutors.
Reprinted with permission of CDW and http://www.biztechmagazine.com
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
No comments yet.
Leave a comment