Insider Data Thieves

The highly networked computer technology that has made companies more efficient has also left them more vulnerable to threats from insiders that are intent on stealing information or sabotaging operations. And, those vulnerabilities are regularly exploited.

According to a recent Wall Street Journal article by Siobhan Gorman, there are procedures and technologies that can help defend a company against malicious insiders. This newsletter article summarizes her article on “How to Stop the In-House Data Thief”.

Access Issues

About half the companies responding to an annual survey by the Software Engineering Institute have reported experiencing at least one data-security breach by an insider in the previous year. IT system administrators often get their hands on a broad array of information because they require extensive access to manage company networks. But many other employees without any special privileges have access to all sorts of confidential or sensitive information (about the company they work for, its employees, and its customers) that they use to do their jobs.

The trend toward data storage in the cloud complicates matters. Increasingly, companies are moving more of their information – including extremely sensitive data – to the cloud, where it is stored in giant server farms accessible over the Internet.

There are some security benefits to this centralized information storage, such as the ability to apply new security practices quickly and universally across company data.

But there are risks, too. Companies tend to store enormous amounts of information in the cloud to maximize economies of scale. So, someone who finds a way past a company’s cloud defenses has access to much more data than an intruder would if the information was more scattered, as it typically is when stored in company IT systems.

Step by Step

Companies are hardly helpless, though, against insider attacks. To combat the insider threat, companies need to establish their defenses in layers, from trying to prevent threats to responding when security is breached. Here are some of the technologies that security specialists say can help companies at various steps along the way:

Prepare
: Companies should focus their security efforts by identifying the data and systems most in need of protection, then act to limit access. Before a system administrator is handed the keys to the kingdom, the employer should conduct a thorough background check – one that is more rigorous than what may be required for other employees.

And even with system administrators, companies don’t need to provide full access to all systems and can instead tailor network access precisely to job responsibilities.

Prevent
: There are a number of technologies that aim to provide data-loss prevention, including products from computer-security companies. These programs can be set to prevent an employee from moving data to a portable storage device such as a flash drive. They can also detect data leaving the system that shouldn’t be, based on keywords or other identifiers. Another step companies can take is to encrypt sensitive information.

Detect
: Continuous monitoring of corporate networks for unusual activity is key to detecting a theft in progress. Monitors can track who is accessing certain databases. They can flag, for example, an unusual level of activity in a particular database. These types of programs can monitor both when a database is queried and when particular folders or documents are opened. These programs can help by aggressively tracking suspicious activity from minute to minute, and issuing alerts if any activity rises to the level of a probable threat.

Respond
: Once a company has zeroed in on an insider, it needs to conduct an electronic forensics investigation, determine the extent of the theft, and work to mitigate further damage. Programs are available to conduct a forensics investigation, along with other tools that examine data on various devices.

Warning Signs

To read about warning signs for insider attacks, see the full Wall Street Journal article at this web page. It describes three primary types of attacks: IT sabotage, Information Theft, and Fraud. For each type, it defines the motives, those most likely to attack, and red flags.