I was asked recently what I thought was the biggest security risk facing compliance officers today. I didn't have to think twice -- insider threats.
It may not be on every compliance officer's top 10 list of security risks, but history shows that sensitive data continues to flow out of organizations, mostly with the help of those most entrusted with its care. For instance, database and system administrators often have uncontrolled and unaudited access to sensitive data, as well as to data stored on network file systems or desktops.
That said, insider threats are not always about privileged access to data. More specifically, they are about access to any data and/or intellectual property that carries business value. So, let's more clearly define who is an insider and what constitutes an insider threat: Insiders are those people in an organization who have legitimate access to data for business purposes; An insider threat exists when there is a possibility that insiders may abuse the access privileges knowingly or unknowingly.
Insiders who abuse their access privileges are also known as malicious insiders. Insider threats are considered significant enough that Carnegie Mellon University's Computer Emergency Response Team (CERT) has undertaken an impressive number of research studies on the topic. The topic is also covered in the 2010 e-Crime Watch Survey, which states that "while outsiders are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders," defined as employees or contractors with authorized access.
The survey found that insiders most often use their laptops or copy information to mobile devices to commit electronic crimes against their organizations. According to the findings, data is often downloaded to home computers or sent outside the business via email.
Interestingly, most organizations do not document and track insider threats, choosing instead to rely on conventional access control methods that could easily be circumvented by those with privileged access. Organizations also fail to implement and enforce segregation of duties controls, thereby allowing insiders to exceed their authority.
So what can be done? The first thing to realize is that an insider threat is an organizational issue that technology alone can't solve. Organizations need to start by documenting what those threats are. It would also help if compliance officers asked the following questions:
- What data is sensitive, and why?
- What is the risk to the organization if this data were to get lost or stolen?
- Who has access to what data, i.e., who creates, reads, updates and manages it?
- Where and how are people accessing data? From home, with personal laptops?
- What controls can insiders circumvent to get to the organization's data or infrastructure?
- What measures can be taken to mitigate or minimize these threats?
As far as mitigation is concerned, popular security solutions such as data leak prevention or database activity monitoring tools are designed to address insider threats. These solutions can't be effective, however, if the organization doesn't have the ability to identify what data exists and who uses it. The above list can help establish a data protection framework from within which these solutions can operate.
But the starting point for insider threat mitigation should be user education and not technology, with organizations teaching the right way to handle data. The following guidelines can help:
- Develop and communicate an organizational policy regarding data security and intellectual property protection. The policy should provide examples of proper use.
- Awareness training should incorporate insider threat scenarios and teach users how to handle information in a way that does not put the organization at risk.
- Audit all data access activities and periodically survey users for their data use and data needs.
- Monitor and track all data extracts.
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies Inc. and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and teaches at the University of Maryland University College.