As computer use has grown, the capacity for theft and damage increased. What many IT departments may not realize, however, is that the problem is much worse than they might think.
It’s the kind of stomach-dropping moment that every IT manager dreads. The network is attacked, and no matter how many safety blocks have been put in place or tough digital barriers erected, data gets corrupted or stolen right in front of IT’s horrified stare. A mad scramble and firewall reset confirms that the attack is even worse than believed, because it’s coming from a place that no one expected: just down the hall.
Internal threats aren’t new for companies. Ever since the first employee had access to the first supplies cabinet, pilfering has been an issue. As computers got introduced, the capacity for theft and damage has increased. What many IT departments may not realize, however, is that the problem is much worse than they might think.
In a recent FBI security survey, 80 percent of the respondents reported insider abuse of their computer systems. Research firm Gartner has reported that 70 percent of incidents that cause money loss are the result of insider theft.
Although IT has undoubtedly locked down their networks and systems, it’s likely that those controls were done with outsider threats in mind. Inside a company, employees usually have access to a variety of servers and equipment, because in order to swap files and share information, the technology controls need to be somewhat loose and easy. Unfortunately, those open doors can prove to be a bigger danger to company security than unknown hackers or miscreants trying to jump on a firm’s wireless network.
There are several ways that an employee can wreak havoc on a company system. Although focused, malicious attacks can be the most frightening, there usually aren’t many employees who are tech savvy enough to bring down a corporate network through hacking. Most often, dangers occur when an employee has access to files or servers that should be better controlled, especially if those electronic paths lead to the accounts payable department.
Jeff Johnson, co-founder of Atlanta-based security monitoring firm Oversight Technologies, notes that in the last five years, employee theft through digital means has gotten out of control. “We’ve been calling them business hackers,” he says. “They hack into the system and find a way to cut themselves checks and then cover it up.”
One Oversight client had an employee who found a way to access the accounts payable system. He went into a vendor file, changed the vendor’s name to his own, and cut himself an $80,000 check. Then, once the deed was done, he changed the vendor name back. He might have gotten away with it if he hadn’t gone directly to a local check-cashing place that decided to call the company for verification.
Such incidents are all too common, Johnson says. Beyond that kind of fraud, employees can also be dangerous by either damaging equipment deliberately, or blithely downloading viruses or stumbling across networks by accident.
“It’s a significant issue,” Johnson says. “No matter how an employee poses a threat, either accidentally or on purpose, insider abuse is very real. IT needs to analyze their systems and do something to prevent these threats.”
One of the most important ways to keep information safe is to enlist the very people who pose a danger in the first place. Since network security breaches can sometimes be a result of carelessness on the part of a user, education can go a long way toward reducing the threat. For those employees who are a bit wilier and like to sneak around a network, educational efforts that mention policy enforcement may keep them in check.
“Having a security policy doesn’t make sense if it doesn’t make people obey,” says Doug Landoll, president of Austin, Tex.-based network security firm Veridyn. “You need to set the guidelines through a policy, and then think about how to enforce those rules.”
In crafting a security policy, IT departments should refrain from using standard boilerplate language about respecting company property and not using corporate resources for personal use. Although such policy templates may pass muster with company attorneys, it’s far better to nail down the specifics of what’s allowed and, most important, what won’t be tolerated.
“Can you e-mail the company directory to someone outside the office?” Landoll asks, as an example of kind of incident that should be included. “What will happen if an employee tries to access a server they shouldn’t be on? An IT department needs to clearly define what a breach is and work with HR to define what would be grounds for termination.”
He adds that subsequent security training can be a challenge, simply because users are at different levels. However, it’s crucial that training be done, since it often minimizes the risk of damage in the future. “Just letting them know that you’re aware can sometimes be enough,” Landoll says.
Tech to the rescue
Education and strong policies can reduce some of the threat, but for real protection, IT departments can also employ some technology to make sure that threats are kept to a minimum. Several companies have been developing tools specifically geared toward protecting networks and data from insiders.
Security heavyweight Check Point Software Technologies has come out with InterSpect, an appliance that includes defense technologies meant to help prevent or at least mitigate attacks from inside the network. Similarly, Ingrian Networks has been touting its latest product, DataSecure, which is designed to protect data while it’s in storage, in use, and in transit among machines.
DataSecure uses a high level of encryption in order to work. Using powerful encryption for lessening internal risks is a growing area, and there seem to be quite a few products in development that help companies secure data while it’s being routed from one employee to another. Shlomo Touboul, CEO at San Jose, Calif.-based security firm Finjan, notes that clients who were suffering from intellectual property loss have embraced their encryption-based application, called Mirage.
“With Mirage, an employee can send sensitive data outside the company,” Touboul says, “but the person opening it will only see meaningless code.” Also popular are monitoring services like those available at security firms like Oversight. Johnson says that with so many transactions taking place at a company, IT needs an effective monitoring tool that can make sense of questionable data transfers and unauthorized access requests.
Although insider threats have been a constant over the years, that doesn’t mean it has to continue to give IT managers and CIOs nightmares for years to come.
“Security is a chain, and it’s going to break at your weakest link,” notes Landoll. “It’s the job of every IT department to make sure both the internal and external links are strong.”