Infosec 2011: Brand reputation the most likely target of insider threats

Damage to brand reputation is probably the most common threat to organisations from disgruntled employees, says Andrew Kellett, senior research analyst at...

Damage to brand reputation is probably the most common threat to organisations from disgruntled employees, says Andrew Kellett, senior research analyst at Ovum.

This is more likely than insiders taking down an entire organisation, he says, particularly in the difficult economic climate, and organisations should be putting appropriate controls in place.

In more extreme cases where insider actions have put businesses under pressure, mostly in the financial sector, it has been due to a lack of control over data and staff activities, he says.

Most organisations have to deal with the middle ground of user error, says Kellett, who is to lead a panel discussion on the topic of insider threats at Infosecurity Europe 2011 at Earls Court, London from 19 - 21 April.

"Most insider threats result from employees not taking proper care, doing risky things to get jobs done faster, and accidentally sending out commercially sensitive information, rather than the intentional theft of intellectual property," he says.

But, says Kellett, the malicious aspect cannot be ignored, especially in organisations where there have been redundancies, where perhaps additional controls need to be put in place to ensure sensitive corporate data cannot be taken out.

In addition to technological controls, staff education and awareness of the security risks, including social engineering, is essential to reduce inadvertent threats.

"It has always been the case that organisations work more effectively when employees understand what their responsibilities are, know what they can and can't do, and are given help to follow best practice," says Kellett.

The challenge facing most organisations is how to control properly the things they allow users to do, including using social media and portable storage devices.

While the financial services sector is leading the way in deploying monitoring and control, says Kellett, these systems are often costly, are difficult to support, and constrain business activities, which is why finding the right balance is key.

There are some fairly mature technologies in the data leakage prevention space, he says, but to get the best value out of them, organisations have to have a good understanding of their risk profile to identify what technology is relevant to them.

"For less highly regulated industries and small businesses, this may simply be deploying commoditised solutions to control the mainstream e-mail and web channels and ensure that proper data inspection and encryption takes place," says Kellett

The panel made up of Mark Segelov of The Open University, Robin Smith of Northampton General Hospital, and Vlatka Toukalek of World Meteorological Organisation, will also consider the risks of adopting employee-owned kit.

"This is relatively new and organisations are still trying to get their heads around it and what they should allow," says Kellett.

The challenge, he says, is that the demand to use consumer equipment in the workplace, particularly mobile devices, is often coming from high up in the organisation, and IT security pros are having to find ways of enabling the use of these non-enterprise devices in a secure way.

Other issues the panel will discuss include event monitoring and management, supplier sourcing and due diligence, user behaviour analysis and privacy issues, and strategies for redundancy programmes and managing those left behind.

Read more on IT jobs and recruitment