Investing in security inside the organization

By Dr. Guy Bunker.

The Morrison’s payroll data theft made the headlines, not just because it was (yet another) data breach involving innocent people’s personal information, but also because it was quickly discovered that it was carried out by an insider, the ‘Enemy Within’. Clearswift conducted a number of country specific surveys last year which highlighted the fact, everywhere, that there were now more problems from internal security threats than from external ones. But, what should organizations do to mitigate the risk?

The first step is acceptance... there needs to be an acknowledgement that while you think you know your staff, there is a possibility that one might have less than the best intentions at heart. While surveys are great, it is actual instances, such as Morrisons which back up the, otherwise anonymous, survey data. Security firms are often accused of scaremongering and named, published, case studies are often hard to get as no-one really wants to own up to security problems – especially when it is about a rogue employee.

Accepting that there may be a problem opens the door to a range of actions which can then occur.

The next step is to look at what security measures are currently in place and what that means for the insider threat. If a breach such as the one at Morrisons was to occur, would you (a) know about it and (b) be able to find the perpetrator?

As with so many things these days, there does need to be a cross functional team set-up and scenario planning enacted.

Perhaps the biggest challenge when dealing with the insider threat is understanding (and accepting) that this is not about *everyone*, but because of the minority the majority will be impacted. The cost of the security solution needs to be proportionate to the risk (and consequence) of the threat.

Not all information is equal, understanding the organization’s critical information and its value is essential. Where is this information held? Who has access? The questions are simple to ask, but difficult to answer. The information might be held in a database... but can it be exported to a file and downloaded to the Internet? What is relatively easy to monitor and control (a database application) suddenly becomes a nightmare. Network and device monitoring is needed to discover and watch for the critical information – especially if it is attempting to move outside the organization, or off the device onto removable media. Data Loss Prevention solutions (DLP) are good at watching for the information as it moves, but can also be used to look for ‘smoking guns’. (Information that is on end user devices and file servers, which if lost, would cause a data breach.)

When it comes to malware, there are comparatively few ‘zero-day’ threats – these are threats for which there is no forewarning. For malicious insider breaches, the same is true, even for Manning and Snowden; their malicious activity had gone unnoticed for quite a while before they stole and leaked the information. A proactive approach to finding critical information, and then an action plan to deal with it, will help reduce information risk and in many cases uncover malicious insiders.

While Morrisons suffered an embarrassing data loss, they were able to move quickly, find the root cause and make an arrest. It would, of course, have been better if the information hadn’t leaked in the first place – and no doubt they are looking at additional security measure to prevent it from happening again. In the meantime, it is something we should all learn from – investing in security solutions is not just about the external hacker, it now needs to include dealing with the malicious insiders, the Enemy Within.