Tips for Dealing with Insider Security Threats
"People are our greatest asset," is a common corporate mantra. In many effective organizations, this is certainly true. I’m sure you’ve seen other organizations, however, where unfriendly sales clerks, consultants, temps, or help desk personnel certainly are not the organization’s shining points. Don’t get me wrong. I like people, for the most part. However, it’s important to realize that employees can cause the biggest damage to an organization. In the security business, insiders are often the biggest risk to sensitive information and important computer systems. Reports of actual incidents consistently show that insider attacks not only outnumber external attacks, but their damage costs victims even more. While companies often spend a great deal of time and money preventing attacks from outsiders, many ignore these threats from the malicious insider.
These insiders include employees, consultants, contractors, and temps, as well as close-knit business partners. Insiders are the greatest risk because they have detailed knowledge of the information technology systems in an organization and can wreak the most havoc when they want to. The knowledge they need to do their jobs also lets insiders know how to hit an organization where it hurts. They could steal, delete, or alter sensitive information or otherwise sabotage systems. With the economy sputtering and layoffs mounting, a large segment of many companies’ employee population is in a disgruntled state. At the same time, as companies cut back on full-time employees, the use of temporary workers is increasing. This environment represents a dangerous mix from a security perspective.
What can you do to minimize the threat posed by insiders? Here are some tips for handling the insider threat based on what I’ve seen in many highly effective organizations:
When temporary employees leave, disable their user accounts on your computer systems immediately! I’ve seen numerous companies where, ironically, it’s much easier to revoke accounts from terminated full-time employees than it is to revoke them from temps. Many organizations just don’t manage computer access by temps as carefully as they do for full-time employees. It’s just as important, and perhaps more so, to have a carefully defined policy and process for creating and disabling computer accounts for temps. Your policy should emphasize the importance of removing temp accounts. Your process must clearly define whose responsibility it is to initiate the removal of a temp’s access, as well as who actually removes the access. Furthermore, you should conduct periodic assessments of accounts to make sure that any old, unused accounts for temps are disabled.
Do not use a single shared logon account for multiple employees. Using a shared account limits a company’s ability to trace actions back to a single person during an investigation. Many organizations use shared accounts for temps because they are on a job for only a short time and will quickly be replaced by someone new who needs the same level of access. It is critical to delete the earlier temp’s account and create a new account, with a different password, for the new temp. I’ve been involved in investigations in which a single temp account was used by a dozen or more people over time, without any password changes. In one incident, a temp who worked in an organization over a year ago was still remotely accessing the company to browse sensitive files.
In your corporate security policy, explain that all use of corporate computers and networks is subject to monitoring. When your users log into any of your computer systems, make sure they are automatically presented with a warning banner saying that all use of this corporate asset may be monitored. Whenever new employees start a job, make sure they get a copy of the policy and review it before they start working. These actions will help you not only increase awareness, but they also build a better legal case if you ever have to terminate or prosecute an employee for misuse of corporate computer assets.
Utilize the principle of least privileges; give employees access to only the computers and files that their jobs require. Additional access privileges beyond the minimum required for their job could only lead to trouble. If a given insider shouldn’t be able to view sensitive financial data, make sure that the temp’s information isn’t loaded on the same server as the sensitive data. If it is, carefully implement access controls to block access by unauthorized personnel.
Activate logging and intrusion-detection systems on sensitive internal computers and networks. These tools can give you a very helpful "heads up" that something may be awry as an employee tries to access systems or data that should be off-limits. Of course, logs are useful only if someone reviews them, so make sure that your log review procedures are in place and followed. Most companies monitor their Internet systems very carefully but drop the ball when monitoring their internal systems. You should monitor highly sensitive computers and networks, such as those associated with mergers and acquisitions, human resources, payroll, legal, and corporate officer communication.
While these tips for dealing with insider threats are certainly not trivial, they can help save an enormous amount of time, money, and embarrassment that could result from a major insider attack. By exercising careful diligence, you can defend your critical information assets from inside attackers!