Insider threat detection still a challenge for employers

Although most information security investments focus on keeping out malware and intruders, recent events demonstrate the growing threat of insider risk.

How do you make sure employees, who have access to files and systems as part of their job, do not abuse their privileges and steal information for gain?

Insider threat detection has always been a problem, but most investments in information security still tend to focus on keeping out viruses and intruders. The potential danger of a rogue employee may often be discounted, ignored or just accepted as a risk of doing business.

But recent events serve as a vivid reminder of a growing problem. For instance, last month, mobile phone company T-Mobile Inc. revealed that its call centre staff had been selling customer records to rival firms. The records contained contract expiry dates, and the rivals were targeting customers as their contracts were coming up for renewal.

Around the same time, email records were leaked from the University of East Anglia's Climate Research Unit, allegedly exposing dishonesty and collusion amongst climate-change scientists. The information has been valuable to those fighting legislation to limit climate change.

If further proof were needed of the danger, a new survey conducted among 600 office workers in Canary Wharf, London and Wall Street, New York, revealed that many employees have no qualms about mishandling information. One-third of them said they would steal data to help a friend find a job, and 41% admitted they had already taken data, just in case they needed it in some future employment.

The study, which was commissioned by security company Cyber-Ark Software Inc., found that customer and contact details were the favourite files to steal, followed by plans, proposals and product information.

But how do companies protect data from users who are properly authorised to access their systems?

Peter Wood, founder of security consultancy First Base Technologies Ltd., said the key is to ensure employees are properly vetted when recruited. "We have been working with retailers and banks on PCI DSS compliance, and there is a big concern over call centres," he said. "They use a lot of temps and contract staff, and they rely on the recruitment agency to vet people. They assume the agency has done the appropriate background checks, but in our experience, they haven't."

Vetting is important to insider threat detection, because organised crime has been known to target call centres. For instance, the Glasgow police recently estimated that one in 10 call centres have been infiltrated by organised crime.

Wood also said he has seen keyloggers planted in organisations to steal information. He recommends using an agency to do background checks on applicants, and to verify the accuracy of their CV and qualifications. If companies want to do the checks themselves, he suggests following the procedures outlined in the British Standards Institute's BS 7858 standard for staff screening.

Wood said that, for the moment, firms are trying to tighten up on physical security in call centres -- banning iPods and sometimes even pens and paper -- "but they are not addressing the core issue of whether those individuals can be trusted or not."

Nick Garlick, managing director of Nebulas Solutions Ltd, said companies also need to appreciate the value of their data, and ensure that their employees understand their responsibilities. The T-Mobile episode, he said, should serve as a "wake-up call" for organisations.

Security professionals should communicate to staff that disclosure of company data is a criminal offence, and that message has to be backed up with technology. "All users need to be monitored, whether they are privileged or not, and there needs to be an audit trail to protect against misuse," he said. "Users are increasingly IT-savvy. They know how to find their way around a network."

Garlick said many companies still regard data leakage prevention (DLP) technology as "nice to have" whereas he argues it should part of the overall security infrastructure. And while file encryption can help with DLP, it is still not the norm in many companies. "Encryption could eliminate a majority of the risks attached to this kind of activity. However, some companies struggle with end-to-end encryption, because of the difficulties of management, provisioning of certificates. It is quite a hefty management overhead although there are tools now that can automate it," he said.

"Some companies will encrypt laptops, email systems and file shares, but most of them still don't encrypt databases."

Focus on the data
In order to improve insider threat detection, said Clive Longbottom, a director at analysis firm Quocirca Ltd, the focus of security needs to shift from the IT infrastructure to the data itself.

"If you protect the data, then you don't have to concentrate on everything else. You may protect the server that runs SAP, for instance, but as soon as you start doing a backup, then the data starts to move, from machine to machine, to a tape on the back on of a lorry, then over to Iron Mountain [a Boston-based records management company, for example]," he said. "You can't say that just because you've protected SAP, the rest of the process is secure. If you protect the data, then it makes no odds where it is. It is still secure."

He said encryption can help, but in order to limit what can happen to information, some form of digital rights management (DRM) technology is required.

"For example, a sales guy needs access to your Siebel system and all its data, but with DRM, the data will time-out if it doesn't touch the network for eight hours, and will lock itself, and then delete itself," he said. "It means he can't copy the data, leave the company and then take all the customer records to his new employer."

Of course, companies need to decide what information is sensitive or confidential. According to Longbottom, few companies carry out formal data classification exercises, and may rely on their DLP technology (if they have it) flagging up credit card numbers, for example, to meet regulatory compliance.

But as the case of the climate-change emails demonstrates, information can be valuable for many reasons. Robert Schifreen, former hacker and now IT consultant, suggests it is a question of "knowing your enemy."

"Twenty years ago, any company trading with South Africa or dealing with the fur trade was a target. Now with the Copenhagen summit coming up, the University of East Anglia should have realised they might be hit," he said.

Provided companies can catch data thieves, and prove it, then the law can be used to mete out punishment. A consultation exercise at the Ministry of Justice is expected to rule in early 2010 on new penalties in relation to Section 55 offences of the Data Protection Act. Section 55 of the Data Protection Act makes it a criminal offence to knowingly or recklessly obtain or disclose personal data or information without the consent of the data controller.

But according to William Malcolm, a specialist in privacy and data protection at law firm Pinsent Masons LLP, companies need to make the company's responsibility to look after personal data clear to their staff. "Staff needs to understand the parameters of their work -- that information is confidential and only for purposes as an employee," he said.

"It should be made clear that if they access data without the consent of the data controller, then use it to disclose it for a purpose not associated with their employment, that is potentially a criminal offence under the Data Protection Act and the Computer Misuse Act."

Employers have responsibilities, too. They have to provide employees with the right tools to work in a secure fashion. If the staff is placed in a position where they need to bypass security to get the job done -- for instance, copying a file to a USB stick because there is no other way of transferring data -- and an accident occurs, then the employees cannot bear full responsibility. "It may be that they are not trying to act maliciously, but the technological constraints in the organisation mean that they have to work around the rules in order to get the job done," Malcolm said.

The possibility of an insider leaking data, whether by accident or design, can never be eliminated entirely. But with the right leadership, planning, management and a certain amount of technology, the dangers can be greatly reduced.

Read more on IT risk management