Thousands of pounds continue to be spent on information security by companies of all shapes and sizes in order to “keep the bad guys out,” but with data leaks on the increase, it is clear that companies also face internal risks as well.
Regardless of the source of the breach – individuals with a grudge, organised crime or hackers impersonating the ID of an employee with malicious intent – the risk is just as great from an accidental breach.
The situation is exacerbated by the increasing complexity and distributed nature of IT systems, especially with the rise of employees using their own devices and applications for work purposes and cloud-based solutions extending the boundaries of the organisation further still. All these factors create more potential points of weakness, also described as “attack surface”.
Organisations have a tendency to give individuals unnecessary levels of system and information access. But with a hefty fine of up to £500,000 from the Information Commissioner’s Office (ICO) for serious data breaches, the responsibility for security can no longer lie solely with the IT manager and must be addressed by the business as an issue of strategic importance.
Whilst the insider threat is a very real one, it can be easily avoided, with the right combination of technology, processes and policies. It also helps to understand the kind of personalities that may maliciously or inadvertently cause a problem, such as the disgruntled employee, who may feel ‘hard done by’: perhaps they have been passed over for a promotion or know that they are likely to be in the next round of redundancies.
At the other end of the spectrum are the employees who may have the best intentions but can be the root cause of major problems. For example, the Lancashire Police Force was fined £70,000 after papers containing sensitive information were discovered by a member of the public on a street in Blackpool. An accident, no doubt, but one with serious implications.
Devastating breaches can also stem from innocuous actions such as giving away passwords, downloading unauthorised applications or tools from the internet that bring in malware, or through the most basic of email errors ( “I sent it to the wrong person!”)
Last but not least, is the risk from an individual that does not work for the organisation at all, but who has managed to gain remote access to secure information, by impersonating a legitimate internal user.
Data Security is not about building walls
So, what can be done? The first thing to understand is that the aim should be to create barriers, not walls. Organisations need to implement privilege management, taking the ‘Goldilocks’ approach (not too much privilege, not too little, but ‘just right’). This ensures that employees can carry out their job effectively, without unnecessary rights or privileges that could create the potential for error.
Companies should also investigate tools specifically designed for managing privilege and preventing data leaks.. Solutions available can cover everything from: monitoring and alert systems; security information reporting; and management tools that siphon through web and code based interfaces to centrally control requested network tasks. These tasks are then deployed across all end points: cloud, virtual, servers, databases, desktops, and mobile.
There are some very simple best practices that companies can adopt, including disabling the capability for desktop users to operate as ‘administrators’ on their machines. Companies often make the mistake of giving their employees free reign over their laptops or PCs, thinking that this approach saves on hundreds or thousands of calls to the IT helpdesk, but this is a false economy: when individuals are allowed to operate as local administrators, organisations are exposed to serious security threats.
Another example is to stop bypassing of the logging-in process. However tempting this is, without this system of checks and balances companies cannot have granular control over what is going on, let alone work out what the root cause was when something goes wrong. For the more tech-savvy among readers, use of Microsoft UAC is not enough on its own, because it does not eliminate admin rights altogether and can cause a gaping hole in protection plans.
These are just some of the best practice techniques that can be adopted which together with the right supporting tools can stop the ‘insider threat’ in its tracks. With the right ammunition, companies can ensure that that data breaches are virtually eliminated and prevention is better than cure.
This guest post has been contributed by By Brent Thurrell, Director EMEA, BeyondTrust