Insider threats: Watch out for the quiet ones

Malicious insiders remain a menace to data security, but it's the loyal employee who takes a lax approach to policy that could be your most looming threat.

When it comes to internal security threats there are two types of employees - those who mean to do it, and those who haven't a clue. Both are equally dangerous.

While delivering his keynote address at the IT Compliance Institute's conference, cybersecurity author Dan Verton said malicious or not, an IT organisation faces an uphill battle when it gets down to protecting its assets. Old-fashioned IT perimeter defences have been rendered useless.

"Your security programmes, policies and procedures are failing miserably and you don't know it," Verton told his audience. "You might be spending millions on perimeter defence, and you have no perimeter."

Your security programmes, policies and procedures are failing miserably and you don't know it.
Dan Verton
cybersecurity author
Verton, who wrote The Insider: A True Story, said companies need to use technology to enforce security procedures that thwart malicious insiders and protect against threats from loyal employees who take a lax approach to policies.

When ignorance is not bliss

The criminal insiders' motivations are obvious, Verton said: They want to steal data.

Then there are the loyal, but unaware, employees who work around security policies and procedures in an attempt to be more efficient or download pornography, exposing the system to malicious code that could lead to a data breach.

According to Verton, malicious insiders often come from within a company's IT organisation - something no CIO wants to hear but can no longer afford to ignore.

"There's a psychological aspect to these employees that you have to pay attention to," Verton said. "They are people who say, 'This company doesn't know what it's doing.' They feel they own your network. These are individuals who are ripe for when you go through downsizing or layoffs - if they are on your list you have to put that into consideration when you're planning."

Verton said data must be protected even if it's behind a perimeter, such as a firewall. He said companies cannot rely on strict data access controls. Experts say a hardened perimeter security strategy is impossible to sustain.

"You have average users who are loyal, but they're handling data in such a way that it is distributed all over the enterprise unprotected." For instance, they may use web-based e-mail to send customers information about their accounts for expediency, even though the company may have a policy of sending such information through encrypted e-mail. A virus or worm that penetrates an organisation's perimeter security can then harvest that data.

"It comes down to creating a culture of security," Verton said.

Verton said organisations need effective policies for security. This means identifying key data assets and authorised network systems and devices. They must document and publish their policies and procedures that govern access and acceptable use of data.

He said organisations must also routinely scan for rogue wireless access points or unauthorised software. They must restrict or actively monitor the use of web e-mail, FTP and instant messaging and automate antivirus updates, vulnerability scanning and patch deployment. He added companies should also identify and deactivate all unnecessary processes and automate detection of changes to security settings.

More on security
Midmarket CIOs take heat for security snafus
An IT executive for the security department of a major US retailer, who asked not to be identified, said the loyal insider as a security threat is a growing problem. He said such people have become just as common as insiders with malicious intent.

"The fact that technology has become so ingrained into business and people use the technology as part of their everyday work habits, they don't think about what they are doing … such as sending an e-mail to a vendor with sensitive information in it," he said.

The analyst said awareness is the key to cutting down on non-malicious threats. "The only way to do that from an IT standpoint is to set out clearly what is right and wrong. This is what our company considers public and private, and here are some best practices to adhere to."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on IT risk management