The Edward Snowden leaks highlighted that if the NSA can have its sensitive documents stolen by an employee, anyone can. According to the 2015 Vormetric Insider Threat Report, 89% of global respondents felt that their organisation was now more at risk from an insider attack with 34% saying they felt very or extremely vulnerable.
According to corporate security firm Espion, while the frequency of cyber incidents is on the rise, hackers trying to gain access to critical information are not always to blame, with insider involvement remaining a significant problem.
> See also: The cyber enemy within: rise of the insider threat
The methods used to transfer data can include uploading to online network storage, email transmission, storage on local media including USB memory sticks, CD’s or DVD’S and other data exfiltration methods. The information sought by hackers is multifaceted and varied and depending on the nature of the target’s business can include; intellectual property, financial information, customer or client related information, project plans, business presentations, blueprints and personnel details.
'Insider abuse is more difficult to detect, as the perpetrators often have legitimate access to sensitive data and removing it may go completely unnoticed,' said senior Espion consultant John Hetherton, commenting on incidents of security breaches from within organisations. 'Whether opportunistic or disgruntled with their employers, the threat from the inside becomes more serious, as these employees have access to the company’s best kept secrets and insider knowledge of security weaknesses.'
'Insider attacks can cause significant damage to companies and the consensus indicates that as workers become concerned for their futures, the likelihood of an insider attack increases.'
With that in mind, Espion offers twelve tips for addressing the insider threat issue from within:
- Ensure that organisational policies are unambiguous regarding the classification and protection of information. Policies should stipulate controls commensurate to the value of the information; the more valuable the information the more rigorous the controls. These controls should state protection measures for information at rest and in transit
- All staff should sign confidentiality and non-disclosure agreements when joining the organisation.
- Where BYOD is an option, the organisation should implement technical controls, protecting company information which may be held on personal devices.
- Know exactly where all the organisation’s key information is stored and how that information may legitimately enter and leave those repositories.
- Set up all user access by means of unique user accounts to maintain accountability of actions. Generic and shared accounts should be disabled and the sharing of passwords should be prohibited by policy. It is especially important that system administrators are also subject to these controls.
- Password complexity and management processes should be robust to prevent impersonation attacks.
- Strictly control access to information, which is authorised by information owners and regularly reviewed to ensure access to information is appropriate.
- Where third party cloud based services are adopted by the organisation, a robust movers and leavers process should be implemented to cover both key internal systems and cloud services where access control may not be centrally controlled by internal IT, such as Dropbox and Google Drive.
- Put in place granular auditing for accessing key systems and information repositories.The level of auditing should be granular enough to ensure that the sequence of events which lead to the breach can be reconstructed.
- Real time alerting of suspicious activities should be actively monitored and responded to by trained incident responders, as part of a defined incident response plan.
- If there is a notice period, the IT department should actively monitor employee’s access to the network to make sure sensitive and confidential data is not being downloaded or sent to the employee’s personal email account. Additional measures should be considered in the event of an acrimonious departure, as employees that leave an organisation on bad terms are more likely to steal data.
- And lastly, as an employee leaves an organisation, a thorough audit of their paper and electronic documents should be carried out and company mobile devices and laptops should be returned.