×

Insiders can cause untold reputational and financial damage to organizations, yet companies often underestimate the insider threat until a significant breach occurs.

“It could have been prevented.”

That’s what Gordon Hannah and Kelly Bissell, both principals with Deloitte & Touche LLP’s Security & Privacy practice, say about many cases where insiders maliciously stole intellectual property (IP) or otherwise innocently compromised sensitive information. The “Common Sense Guide to Mitigating Insider Threats,” a publication of the Computer Emergency Response Team (CERT) at the Carnegie Mellon University Software Engineering Institute, defines insiders as current or former employees, contractors, or business partners who have or had authorized access to an organization’s network, system, or data.

Hannah estimates that insiders perpetrate 20 to 30 percent of major security breaches. The 2011 CyberSecurity Watch Survey, conducted by CSO magazine and sponsored by Deloitte, found insiders behind 21 percent of cyber attacks at surveyed organizations. In the financial services industry, the number rises to 74 percent, according to the 2012 Insider Threat Study, from the Carnegie Mellon University Software Engineering Institute CERT division.

The damage insiders can cause to an organization’s reputation and competitiveness can be devastating. A research scientist who worked at different times for a large chemical company and a diversified manufacturer admitted to stealing trade secrets from both companies worth between $7 and $20 million, according to the U.S. Justice Department. A software engineer who worked for a handset manufacturer stole trade secrets related to a proprietary technology the manufacturer had spent hundreds of millions of dollars to develop, according to the FBI. A government agency had to pay $20 million to settle a class action lawsuit after a laptop containing the names and social security numbers of millions of personnel was stolen from an employee’s home.

Incidents like those are not uncommon, says Bissell. But he and Hannah say organizations can detect and, in many cases, prevent them with an insider threat mitigation strategy that combines an awareness of an organization’s information assets with policies, technologies, and incident response processes designed to protect them.

Awareness: Know Where Sensitive Information Flows

According to Hannah, an insider threat mitigation strategy should begin with an assessment of the data and information assets requiring extra protection. He says information security chiefs should know:

The facilities and systems where an organization’s critical information is stored, whether inside the organization or with its partners/service providers;

The individuals who have access to those facilities and systems;

How the organization grants, monitors, and rescinds access to them; and

The level of security required by various facilities and systems.

Based on that assessment, organizations can establish appropriate data security, access, and system monitoring policies. Policies should seek to limit the access granted to “privileged users” (like systems and database administrators) to systems containing valuable, sensitive, or classified information.

“Many times, privileged users have unfettered access to systems,” says Hannah. “At some point, those users may have needed broad access to complete an infrastructure buildout or other project. But once finished, their additional access should be promptly revoked. Too often, it isn’t, and that creates risk.”

Other times, privileged users obtain high levels of access as their responsibilities expand or as they move into new roles. This can become problematic, observes Bissell, when they retain access to systems they no longer require in their new roles, or when their expanded access provides them with opportunities to perpetrate fraud or other malicious activities.

Enforcing “segregation of duties” policies can also limit privileged users’ access, thereby reducing the insider threat. Rather than allowing one system administrator to have full administrative rights to an entire system or to multiple systems, an IT organization may decide to separate or divvy up that individual’s responsibilities among several staff members. Hannah notes that systems administrators would have to collude to perpetrate malfeasance in environments that implement segregation of duties, but he acknowledges that separating privileged users’ responsibilities can be challenging, particularly in short-staffed IT organizations.

Technology: Use it to Support Policies

Organizations can draw on a variety of technology solutions to help enforce access and segregation of duties policies, and to help detect and prevent insider threats. Among them:

Identity and Access Management (IAM) Systems prevent unauthorized users from gaining access to systems. They can also help to enforce segregation of duties policies, and provide alerts when users attempt to access restricted systems.

Compliant Provisioning Systems help companies identify the security and compliance risks associated with granting users access to various systems. They also provide visibility into the access privileges IT departments may need to revoke from employees as they move into different roles.

Data Loss Prevention Systems restrict what employees can do with information. They can prevent employees from altering, printing, emailing, or downloading protected information—such as payroll files, IP, contracts, or customer data—onto a hard drive or USB drive. They can provide alerts when users try to change, print, or download protected files.

Digital Rights Management (DRM) Systems can monitor employees’ access to IP. These systems record the activities of users who access systems containing sensitive or classified information, and they can compare user access logs with access policies in DRM systems to confirm that only appropriate individuals have access to IP.

Privileged User Management Systems control and record the enterprise systems to which privileged users have access. They define the commands that privileged database administrators can and cannot execute on various systems (e.g., they can’t select “*” or copy the entire contents from a payroll file onto their hard drive). By recording privileged users’ activities, companies may be able to more easily identify unusual activity.

Encryption Solutions—deployed to systems containing sensitive data, USB drives, and mobile devices—can prevent some insiders from gaining unauthorized access. So-called container encryption or file/folder encryption can provide more granular control than full-disk encryption over access to sensitive information based on users’ roles. To prevent privileged users who control encryption keys from accessing IP and the like, consider deploying end-to-end encryption, which encrypts data at the source as opposed to when it lands in a database.

Process: Reacting to Threats

If a manager obtains evidence, through various systems or other channels, that an employee has stolen information, accessed an unauthorized system, or otherwise plans to do harm, Bissell recommends promptly disabling the employee’s access and scanning the individual’s computer for unauthorized information.

“If, as the supervisor or security chief, I were to discover that an employee or contractor had data on their computer that they shouldn’t, I’d launch an investigation, then determine my course of action,” says Bissell. “It may be to reprimand or terminate the employee, or involve law enforcement.”

Hannah notes that organizations can take a variety of other measures to mitigate insider threats, including more behavior profiling and running regular, beefed up background checks on employees who have access to sensitive or classified data. “With sound policies, tools, and processes,” he says, “organizations can effectively neutralize the insider threat and mitigate the risk a single individual can cause.”