I talk with many IT leaders over the course of a year, and everyone is focused on Firewalls, IDP, IDS, DLP, and the list goes on. No one really talks about inside threats. What about that risk? When IT pros think of securing networks, they typically concern themselves with outside attacks and hackers. But, the easier attack or hack is inside your office or a branch office. They also face threats from their employee’s, especially their internal staff. The threats can be intentional with malicious employees or they can be accidental, when staff will mistakenly leave sensitive information open and available to hackers. What about social engineering - not just an outside attack.
New Threats
The majority of data breaches will involve outside criminals. Verizon’s 2010 Data Breach Investigations Report stated that 70% of breaches in 2009 where from outside criminals. The most surprising number is insider threats reached 48% more, that is double of what it was in 2008. Some of that number is overall with people from both inside and outside the company involved.
The question becomes how can IT Managers reduce the risk of insider threats? The best place to start is your employee’s inside the IT department. Most IT staffers have the highest level of access and the technical knowledge of how to steal data. In addition, some IT staff are over worked, under appreciated and feel negative towards their employer.
To protect against threats within the IT Staff, industry experts recommend the following best practices…
Enforce a Policy of least privilege
48% of the security breaches in the Verizon study involved the misuse of privileges by employees. Help limit the attack by giving them only the access that they need to do their job. That typically means assigning privileges individually, not based on employee groups.
Conduct thorough background check
Make sure your HR department is aware of the positions in your IT department that require access to critical and sensitive data. You can appropriately filter out candidates before they are hired.
Terminate Properly
A recent survey by Cyber-Ark, 63% of IT staffers admitted they would steal passwords, financial reports and other sensitive information if they knew they were about to be fired. Disable account access right away if employees are going to be fired.
Watch for signs of a suspicious employee
Employees involved in cybercrime will often show signs such as absences from work, changes in work habits and a change in temperament.
Enforce your policies
A lax environment can convince some staffers that they can get away with fraud. Make sure you are enforcing all of your polices and violations are dealt with appropriately.
Unknowing accomplices
Staffers and IT professionals might also put their company’s network at risk. The Verizon study shows the cybercriminals are less reliant on malware to steal data. More often, they are gaining access with social engineering or exploiting poorly configured networks. In addition, some staff members can take equipment or company assets home and conduct attacks after hours.
Keep your staff informed….
Provide Training: Watch for hackers’ latest tactics for tricking staffers into providing sensitive data or access credentials. Most IT Pros should know better, but you still need to remind them from time to time.
Conduct Audits:
This can help detect potential fraud and catch holes that IT staffers may have overlooked. Encourage Staff to Report Problems so they can be addressed and fixed.
Keep in mind the human side of the environment. Employees that are happy at work, feel fair compensation, rewards, and apprciation are less likely to do harm to the company. They feel part of the overall success and appreciate the financial rewards of their hardwork, and dedication.
Keep positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
I find most employees are honest, hard working, and dedicated. There are those few bad apples, and yes it only takes 1. I think companies do need to make more of an effort around employee satisfaction, happiness and rewards. Employees are suppose to be their biggest asset - right? Knowledge is power? Most companies have lost the human touch and some need a management change or go out of business.
ReplyDeleteI like your blog and always find something of value. Thank you.