Insider threats thwarted in simple steps

Don't wait for new SMB-specific offerings before you prevent insider threats. Leverage your existing systems with simple planning and integration.

Historically, security threats were thought to be from bad guys outside your network. That resulted in strengthening the perimeter of your network. Make sure the bad guys didn't get in, and life would be good.

We can't shut down access, but we need to control it.
IT managers at small and medium-sized businesses (SMBs) bought firewalls, virtual private networks (VPNs), intrusion prevention tools and, increasingly, antispam gateways to fortify perimeters. Now these capabilities are starting to show up in an integrated appliance commonly known as unified threat management (UTM).

And now it has become clear that the enemy might not only be "out there." Enemies may be stealing data from the inside, delivering your intellectual property to competitors or compromising private data for fraudulent purposes. So was born the insider threat.

Insiders have been involved in fraud since the beginning of time. They are in a trusted position and have access to sensitive data. They need access in order to do their job, so shutting them down isn't really an issue. So the keyword is going to be control. We can't shut down access, but we need to control it.

Technology keeps moving forward, and within the last two years large enterprises have started to deploy technologies that control access to networks, as well as monitor content usage both at the network perimeter and on desktop computers. Both of these technologies will be available to SMBs, so you should understand how they work.

Network access control

Network access control (NAC) products ensure that only devices adhering to a corporate policy are allowed on the network, while monitoring what the devices are doing when they are on the network. You can enforce policies on the configuration (antivirus, patch level, etc.) of devices, or what they are supposed to get to. Thus, visitors can get to only the Internet, but someone on the executive team gets free reign -- when they connect in the office. They have restricted access at home.

If you have a lot of visitors and/or contractors who need access to your network, or you have mobile employees, NAC is worth a look. You want something as nonintrusive as possible (so you don't have to re-architect your network) and that doesn't require each desktop to have an agent for enforcement.

Over time, NAC will be embedded within the network devices that you know and love, like your routers and switches. But that will take a while, so if you have a need to control what connected devices do now, check out NAC.

Leak prevention

Leak prevention offerings currently target the large enterprise, but more products for SMB are appearing. In a nutshell, these products spider your network and figure out where your sensitive data is (it's in more places than you thought). They then employ gateways and endpoint clients (that run on your computers) to govern the use of that content.

More on insider threats
Rising cost of data breaches fuel security spending

Insider threats: Watch out for the quiet ones
The key to these products is the ability to enforce a consistent policy across your organization. You can turn off USB devices or monitor the content that is copied. You can scrutinize outbound emails or check out what folks are sending through their webmail and other applications. It's a tremendously flexible technology.

But with that flexibility comes complexity. That's why these offerings are more enterprise-focused right now. Over time, prebuilt policies and more portable technologies will make these offerings a requirement for all organizations.

In the meantime, you can provide similar protection by integrating a number of existing product sets that you may already have. Your email gateway can scrutinize email, and your Web-filtering device can control where users surf. You can also implement device control products that turn off your USB ports, so desktop leakage isn't an issue.

The insider threat is something every organization must take seriously and start working on defenses to make sure the one you know isn't the one that kills you.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at, read Rothman's blog at, or reach him via email at mike.rothman (at) securityincite (dot) com.

Read more on IT for small and medium-sized enterprises (SME)