Although your ownstaff have always posed the greatest dangerto your organisation's IT security, the downturn is raising
the threat to new levels.
Companies are no longer losing one or two staff occasionally,
but making employees redundant in huge numbers; the staff who
remain are unsettled, and budgets for tackling security issues are
being squeezed.
When staff walk out of the door for the final time, confidential
company data often goes with them. The
Infosecurity Europe poll
2009 found that 478 out of 532 IT decision-makers surveyed believe
that security risks will increase in 2009.
Moreover, a survey by security supplier Symantec and privacy
research specialist the Ponemon Institute found that nearly 60% of
employees who lost or left a job in 2008 took confidential data
such as customer lists with them.
When IT staff are sacked, the risk to the company's continued
operations can be even greater, because they have intimate
knowledge of IT systems and how they can be damaged.
Frustration hacking
"Be aware of frustration hacking," warns Eric Domage, a research
analyst at IDC. Domage says that IT-savvy staff can delete servers,
encrypt IT systems or take company data as a protest when they are
made redundant.
"The internal threat from one time hacking is a major threat to
businesses," he says.
Companies can protect against external threats, and can trace
logs to identify internal fraud, but are too easily caught by
one-off instances of internal electronic vandalism.
In the US, Rajendrasinh Babubhai Makwana, a contractor at US
mortgage association Fannie Mae, was charged earlier this year with
leaving a malicious script in a routine program that would have
propagated through the bank's servers and deleted all data. The
script was allegedly set to execute more than three months after
his contract was terminated.
To counter these risks, the most important step you can take is
to ensure that former staff no longer have access to IT
systems.
Systems access
The Symantec/Ponemon survey found that about a quarter of
employees still had access to their company's network after they
left.
In the Fannie Mae case, Makwana's root access to all the bank's
servers was not terminated until the evening of the day he
left.
Even if you do have effective procedures to deal with staff
departures when they are running at normal levels, you may not be
able to cope with turning off access for a couple of hundred people
at the same time, warns Andy Jones, a principal research consultant
with the Information Security Forum.
He says you need to prioritise activities such as removing cards
that allow physical access to the building and deactivating remote
access. That ensures ex-employees cannot access any parts of your
network while you work on revoking their rights on individual
systems.
You should also monitor staff before they leave the company, he
says.
Centralised security logging and event management software can
provide alerts and analysis in real-time showing who is accessing
what, allowing you to pick up on suspicious behaviour before it has
an impact on the organisation.
The good news, says Chi-Chi Liang, a senior product marketing
manager at Symantec, is that only a very small proportion of
departing staff are actively malicious.
In most cases, even those who take data are doing so simply to
help them secure their next role. Alongside contact and client
lists, staff frequently want to take data about projects they have
worked on to show prospective employers what they have
achieved.
Companies should acknowledge that departing staff need access to
this material, and seek to reach an appropriate compromise with
them about what information they can take.
You also need to take care that you do not demoralise the staff
who are staying by applying heavy-handed security measures that
make them feel like criminals.
Honest staff
A survey carried out by YouGov on behalf of content security
company Clearswift suggests most people are honest: it found that
three quarters of employees said they would not take company
information if they were made redundant, with nearly half of them
citing "I do not steal" as the reason, and 12% claiming "loyalty to
the company".
Just 4% said company security measures would stop them.
In fact, the greatest internal threats once a company has
downsized may result from the remaining staff working under
stress.
"[Overworked staff] are more likely to cut corners or bypass
security in order to do more faster, opening up the organisation to
external threats such as phishing," warns David Kelleher, a
communications and research analyst with IT security software
supplier GFI Software, adding, "You should increase awareness among
employees of security threats and explain what to look out for to
help reduce the risk of unintentional data leakage."
How to prevent internal attacks
● Understand what data you have, who has access and how they
have access, and then focus on protecting the most critical data
first.
● Create policies for appropriate data use and educate users
about how to use data securely.
● Ensure business processes support good data security - by
appropriate segregation of duties, for example.
● Implement technologies that prevent information from leaving
the organisation, whether on CDs, memory sticks or through
e-mail.
● Implement technologies that make it easy to disable user
access, especially for users with high-level privileges.
● Implement logging systems that allow you to spot suspicious
behaviour quickly.
● Develop de-provisioning processes that scale.