The “Year of the Insider Threat?”

What typically comes to mind when a person thinks of information security breaches is a sophisticated hacker maliciously using his or her technological manipulation skills to gain access to an organization’s information systems.  For the banking industry, this is similar to someone putting a mask on and robbing the bank.

However, perhaps partially due to the weakened economy and widespread concerns about job security, the threat of insiders—i.e. employees, vendors, or consultants—is a threat that is growing at an alarming rate.  This is similar to an employee pocketing money from a vault or from a cash register.

Statistics indicate that in 2008, the number of insider threats being realized skyrocketed.  Endpoint Security reports that out of all data breaches in 2008, insiders were responsible for 15.7% of them.  This is more than double the 2007 figure.  Logic would indicate that employees or consultants, fearing layoffs or due to other conditions of economic uncertainty, have more of a motive to compromise their own company’s systems and data.  BankInfoSecurity wonders if 2009 is the “Year of the Insider Threat” while offering advice on how to prevent insider threats from being realized.  In a whitepaper by Kevin Prince of Perimeter eSecurity, malicious insiders are identified as a “rising threat” and the biggest “network security threat of 2009.”

The threats are there and are largely unavoidable.  Every organization will have trusted insiders who have access to information and therefore have the capabilities to compromise that information.  However, there are many ways to control the risks associated with malicious insiders. 

Limiting access to information to those with a clear need-to-know is a generally-accepted best practice, and making sure insiders are following this “need-to-know” as well as information security policies is also a simple but crucial mitigating control.  It may be worth considering software that inhibits a user’s ability to use data storage devices such as PDAs, flash drives, or CD-ROMs.  But constant attention and diligence towards information systems, including upgrading technologies in a timely manner and monitoring access logs for suspicious activity is necessary.

Preventing insider threats must be an enterprise-wide effort.  Background checks should be considered before hiring a person with access to sensitive information, and procedures regarding issuing and removing access should be written and followed.  Policies should be drafted about responding to an insider threat.  With information more portable than ever, enterprise-wide decisions should consider the feasibility of a data breach caused by a malicious insider, and trying to minimize the likelihood and impact of such an event happening should be a consideration in these decisions.

GraVoc Associates, Inc., based outside of Boston in Peabody, MA, is celebrating fifteen years of providing consulting services in the practices of information security, information systems, and professional and technical services.  GraVoc is committed to informing clients about the latest information security threats, and their information security team is willing to help your business achieve your compliance with regulations and keep your information safe.  For more information about the company, please visit www.gravoc.com or call the GraVoc offices at 978-538-9055.