Protect your business
from insiders
Manage the people threat
by Keith Chval and Ben Bradley
Virtually every piece of data worth stealing is stored electronically.
As a result, employers must balance access to information with their
responsibility to protect those assets from misuse.
While it is difficult to protect electronic assets against the
actions of determined insiders, a few common sense proactive measures
can reduce the risk that rogue insiders will be able to compromise
your data. At the same time, you can position your enterprise to
quickly and effectively respond should such an insider manage to
access your data.
Keys to the Kingdom
Insiders pose the second greatest threat to cyber security, according
to the 2004 E-Crime Watch Study, conducted by CSO magazine, the
U.S. Secret Service and the CERT Coordination Center at Carnegie
Mellon University. Among cyber security experts who responded, 37
percent said hackers posed the greatest cyber security threat, followed
closely 29 percent who saw insiders as posing the greatest threat.
Let’s start by defining what we mean by an insider.
An insider is an individual who enjoys a trusted status with your
enterprise - a former employee, a current employee, a contractor,
a customer or even a vendor acting on motives that are inconsistent
with the best interests of your enterprise. The potential motives
are many - a missed promotion or salary increase; a belief that
an employee can make better money elsewhere, with your client list;
or simply an individual caught up in criminal or inappropriate conduct
who uses your resources to do so. Regardless of motive, the end-result
is that a rogue insider is committing acts that jeopardize the livelihoods
of you and the other stakeholders of your enterprise.
Especially in an information intensive business, a rogue insider
can threaten your livelihood in many different ways. It’s
not difficult to imagine the enormous damage to your enterprise
if your customer list disappeared, your competitors received a copy
of your marketing plan, all your files disappeared or you had to
scramble to rebuild your network.
In every case, the impact of all these things can be exponentially
greater than simple lost productivity. In most of these cases, the
damage would be hard to calculate. Damage to your reputation, lost
revenue, and lost opportunities don’t even begin to describe
the mess a rogue insider can make.
Because of their trusted status, insiders literally hold the keys
to the company kingdom. With a simple login, a rogue insider can
wreak havoc in no time – even long after he has physical access
to your facilities. For management, the idea that a single person
can access and control the entire network from a corner Starbucks
anywhere in the world should be a source of great concern.
The first step of the process to protect yourself from the damage
that can be caused by a rogue insider is identifying your key informational
assets, and then systematically determine who needs to have access
to that information and for what purposes. With this information,
you would then begin developing and implementing policies and procedures
to provide the necessary access to that information and the related
systems, while at the same time building in security and monitoring
measures appropriate for the level of sensitivity that you have
assigned to that information or system.
Most experts agree that the IT department is one operational area
worthy of extra attention regarding these issues. The heightened
knowledge about your systems and data makes the prospect of a “rogue
IT insider gone wild” particularly frightening.
Minimize the Human Risk
Many business owners hire new employees and contractors assuming
that these individuals only have best of intentions and are of the
highest character. It is important to hedge your positive assumptions,
with the right technology and the right processes.
“Write your Acceptable Use Policy (AUP) down, make sure everyone
knows about it and understands it. An AUP is an agreement between
the business and its employees that outlines the terms of Internet
and technology resource usage and acceptable rules of behavior.
Then enforce it with an even hand,” advises Scott Nelson,
president of Employee Management Services (www.eos123.com), a HR
outsourcing company located in Burr Ridge, Illinois. Nelson believes
protecting your business from internal threats begins with common
sense.
Eliminate the expectation of privacy. Let employees know that you
are watching and monitoring what they send and view. Content filtering,
email archiving, and even simple reviews of internet history can
be very useful.
Try to understand what parts of your business are more valuable
than others – work to protect those assets with a combination
of process and technology.
Instituting effective employee due diligence procedures can also
provide your enterprise with an important layer of security. By
protecting your valuable information (assets) and technology with
strong hiring policy and processes, you address both internal and
external threats. In the same way your firewall protects you from
threats from outside traffic, an effective employment candidate
due diligence process, coupled with periodic post-hire updates,
can provide protection from threats posed by rogue insiders.
Mark J. Neuberger, a partner in the Miami office of Buchanan Ingersoll
PC (www.bipc.com) goes even further by suggesting that I.T. professionals
and contractors be interviewed and hired differently than other
employees. “This means their backgrounds are subject to greater
scrutiny when recruiting and selecting.”
Extra Level of Vigilance
When recruiting I.T. staff, a heightened level of background
and reference checking should become standard operating procedure.
An important consideration in enhancing the due diligence of your
recruiting process, is determining who will conduct the checks.
Avoid the temptation to assign this critical responsibility to your
headhunter. A conflict of interest exists when the person compensated
for the placement is assigned responsibility for finding reasons
not to hire the candidate.
Neuberger advises that once hired, I.T. employees’ activities
and performance be subject to greater degree of vigilance and scrutiny.
“There is nothing illegal with this kind of differential treatment
so long as the employee understands what is expected and what will
happen if their performance does not conform to these higher standards.”
Once hired, I.T. staff should be monitored and reviewed on a regular
basis. Management should maintain a basic understanding of security
processes and should consider a regular security audit conducted
by an objective third party. This process will show what is on your
system, how it is being used and who is using it. Outside objective
help may be needed to perform the audit and to insure that all security
issues are addressed. Audits reveal the latest vulnerabilities within
your network, provide critical checks and balances and often provide
remediation guidance.
In addition, identify and watch for the development of “situational
precursors” that can often foretell future misconduct by an
insider. Most people don’t set out to lead a life of crime
or otherwise act in a way that is dishonorable. Typically, this
behavior arises when an individual sees no acceptable way out of
an unanticipated situation. Examples include financial difficulties,
marital problems, or a brush with the law. The trigger may also
be an employment-related issue as mentioned earlier in this article,
or simply something as mundane as a close associate who leaves the
enterprise and entices the insider to join him or her.
Procedures should be instituted to assist you in identifying these
situational precursors. For instance, periodic due diligence updates
can identify when post-hire financial or legal difficulties have
arisen. Requiring managers and HR personnel to notify security when
unfavorable performance reviews or disciplinary actions take place
are other examples of steps that can be implemented.
Policies and procedures should be designed and implemented to protect
your organization should this potential rogue insider succumb to
the temptation to solve their problem at your expense. Closer monitoring
of e-mail traffic (including content), periodic digital “snapshots”
and review of the individual’s workstation, and review of
worksite access logs for unusual patterns, are just a few simple
things that can be done to protect you and your enterprise’s
stakeholders from the damage that can be done by a rogue insider.
Termination Considerations
Terminations should rarely be an unplanned-for event. Typically,
a termination comes as a surprise to no one, often foretold by one
or more of the precursor events or circumstances just mentioned.
Similarly, it’s most likely not news to anyone that a termination,
and the period leading up to it, is one of the most frequent periods
of employee misconduct.
To protect your enterprise’s digital jewels, you must have
in place, and consistently execute, policies and procedures designed
to minimize the risk associated with the termination of employment
relationships. Naturally, these policies and procedures should be
tailored to reflect the varying responsibilities and sensitivities
associated with different job functions within your organization.
As you might expect, perhaps the highest degree of security should
be employed when the individual facing termination is part of the
I.T. staff. The termination process should include measures to ensure
that, once terminated, an employee no longer has access to enterprise
resources.
The terminated employee’s passwords and access codes should
be terminated simultaneous to the employee being informed of the
termination. This will require close coordination to ensure that
a delayed termination meeting doesn’t result in unintended
advance notice through premature access denial. A rogue insider
tipped-off to his imminent demise may take that opportunity to quickly
destroy or secrete critical enterprise assets prior to the delayed
termination ultimately taking place.
In addition, ensure that any new systems that have been implemented
during that employee’s tenure have had the default access
codes disabled. This should be done as a matter of course, but far
too frequently, the unfortunate circumstance occurs where a now-former
employee access company e-mail or voice mail systems using previously-established
default log in codes and wreaks havoc on the organization, and occasionally
the personal lives of its employees.
Similarly, make sure that necessary personnel, including vendors
and contractors, have been informed that the employee is now a former
employee and is no longer entitled to access to organizational resources
and information. This can be done in a sensitive way to avoid undue
embarrassment to anyone, and perhaps avoid stirring up a hornet’s
nest.
Wrapping it Up
The risks posed by the vulnerabilities inherent in your technologies
cannot be ignored by any enterprise. Fortunately, there are realistic,
cost-effective steps that enterprises of all sizes can implement
that can allow them to continue leveraging technology, while mitigating
the risks. Effective policies and procedures for managing the “insider”
risk is one such area ripe for attention.
While much of this discussion has focused on an employer/employee
relationship in an I.T. department, many of the principles discussed
have application to other operational areas within the enterprise,
as well as to “insiders” other than employees, as defined
at the onset of this article. Due diligence, vigilance for “precursor
situations,” and management of the (relationship) termination
process should be applied equally to all “insiders.”
Managing the insider risk to your enterprise’s informational
assets, by hoping for the best and preparing for inevitable, you
can avoid the worst, and in the process, add value for yourself,
your enterprise, and its stakeholders.
ABOUT THE AUTHOR
Keith Chval is a principal with Protek International (www.protekintl.com),
a computer forensics, litigation support, and investigations firm,
and a member of the law firm of Connolly, Ekl & Williams PC,
both Chicago-suburban based. From April 1998 to June 2005, Chval
served as the Chief of the High Tech Crimes Bureau with the Illinois
Attorney General's Office where he conceptualized, implemented,
and supervised this specialized unit serving as a statewide legal
and technical resource for prosecution, investigation assistance,
forensics services, and training to federal, state, and local law
enforcement and prosecutors.
Reprinted with permission of CDW and http://www.biztechmagazine.com
|
