The insider threat
8th May 2012
Shaun Peapell, CYFOR’s Information Security Consultant, adds to his comment at Information Security about the biggest threat to businesses.
Information would be far better off without the human user! Sad but true. The highest proportion of data loss and data bleeds is as a result of someone not doing as they are supposed too. Organisations spend time and valuable money on protecting their name, products and IT infrastructures only to be let down by a user or a process controlled by a user.
Organisations should have something in place called a user policy or an IT security policy. This lays out methods and best practices in order to strike a balance between protecting business assets and affording a sensible degree of functionality. Assets can be tangible or intangible, for example, an idea can be an intangible asset especially when a company has thoughts on designing the next super electric car and this idea must be protected from its competitors.
Social engineering can be defined as efforts to gain information from another by any means seen fit. Social compliance and social reliance are the human’s worst enemy, for example, we see a person in a police uniform and most of us start to act differently. We do this because we respect the law, this is an example of social compliance. Interestingly if a person turns up at your reception stating that they are responding to a 999 call and need access to a secure area, most would comply with the uniform and allow it to happen. However, little does the receptionist know that it is an infiltration of a criminal pretending to be a policeman.
The insider threat can come in many different flavours. A member of staff employed in a highly secure area may have financial issues and may be vulnerable to blackmail. ‘Honey Pots’ or ‘Honey Traps’ are designed to entrap the victim. Infidelity may be an example of this when an organisation uses ‘beautiful’ people to socially engineer a competitors employee. Corporate information can be worth £millions in gains or lost revenue.
Educating your staff and regular monitoring should be part of all IT infrastructure and security policies. We are not talking ‘big brother’, however, healthy observation is sensible. Be timely with revoking user privileges, especially if they are no longer employed, downgrade an employees IT status, control access to what they can see, employ the ‘need to know principle’ and ‘ the need to hold’ be firm, if the employee doesn’t need to know, don’t give it to them. Similarly if they don’t need to hold it, take it away from them, mitigate the risks and manage the rest.
We see it all the time, employee leaves company A with a customer data base and goes to company B. Theft counts for a high percentage of the threat that businesses encounter. Organisations need to have a set plan of action incase matters of this nature arise, CYFOR offers a Forensic Readiness Plan to deal with just that and much more.
Everybody has a bad day, can’t be bothered or just cuts corners and throws chance to the wind. That one day when you take an unencrypted memory stick home with you, just may be the day you lose it on the tube on your way home. This amounts to a massive data protection issue and potentially a massive fine for the organisation.
Staff training and user awareness can place your employees in a much better position to protect your organisation’s assets. Remember the acronym C.I.A. – Confidentiality, Integrity and Availability of your assets is paramount.