When we think about information security breaches, it’s easy for thoughts of pimple-faced cyber criminals and technical hacking mumbo jumbo to fill our minds. But it’s not quite that complex. In fact, there´s a higher-level information security problem going on inside practically every organization big or small that makes the technical security issues seem miniscule.
The problem is the very people entrusted to make our organizations and businesses successful – employees, contractors, and the like – committing acts of computer fraud for ill-gotten gains.
Based on recent studies, employees and other insiders are doing a lot of bad deeds electronically. From selling corporate secrets, identity theft, or simply deleting files out of spite for their employers, many insiders privy to sensitive information are indeed taking away more than they’re contributing.
Most insider incidents go unreported due to unwanted publicity and fear of legal repercussions. According to the 2005 U.S. Secret Service/CERT Insider Threat Study, the majority of insiders who committed sabotage against their employers: Were technical staff members (86%); Had authorized system access less than half the time they committed fraud; Were accessing systems remotely most of the time; Compromised computer accounts, created backdoor accounts for future use, or used shared accounts during their system breaches
It’s not just techie types committing fraud and sabotaging their employers and former employers. Many cases involve the average white collar worker with little to no computer knowledge. With the happy-clicky-GUI interfaces of today’s operating systems and readily-accessible Internet resources on how to do anything on a computer, it doesn’t take much to become proficient.
In addition, other studies have emerged recently highlighting the fact that insiders threaten practically every organization that employs more than just a couple of people such as: The Association of Certified Fraud Examiners’ 2004 Report to the Nation on Occupational Fraud and Abuse; The CSI/FBI Computer Crime and Security Survey; Private Rights Clearinghouse Chronology of Data Breaches Reported Since the ChoicePoint Incident in February 2005
The results from these surveys are astonishing. Looking beyond the criminal mind and lack of personal responsibility, the underlying supporting factor can be attributed to a myriad of business process weaknesses – most insider attacks are enabled by oversight and lack of solid security policies and procedures. I come across many of these issues in my security assessment work. Easily two-thirds of the business risks I see involve high-level business processes – not technical vulnerabilities associated with poorly-written software, firewalls, and encryption that are used as scapegoats. In fact, the majority of the weaknesses I see are most-easily exploitable (and exploited by) employees and other informed insiders. Here are some of the dirty deed scenarios I’ve come across recently:
Employees transferring sensitive information outside the network via email;
Contractors removing hard drives from “salvaged” or inactive computers and taking them home or selling them without properly wiping sensitive information;
Average users performing network administration tasks on their own computers and network servers such as adding unauthorized users, escalating their own privileges, installing hacking and cracking tools, and more;
Untrained employees intentionally (and often unintentionally) deleting or otherwise corrupting critical information in network files and database systems; Anyone with network access using text search programs to look for sensitive information in text files across the network (a major vulnerability)
These problems can be hard to detect, especially when so many trusted insiders can carry them out. Further complicating matters and referenced by the Insider Threat Study mentioned above, employees are endangering corporate assets and personal information from home, coffee shops, or wherever they’re telecommuting from. Such physical absence makes it even more difficult to detect and properly respond to insider shenanigans.
Executives and business managers – especially those who are disconnected from IT – think that information security is not a business problem worthy of their radar. If only I had a penny for every time I’ve heard “we can´t really place a dollar value on our information” or “nobody wants what we have” and even “my employees wouldn´t do anything like that”!
Whether people want to bury their heads or want to focus their time, money, and resources on other business tasks, the proof’s in the proverbial pudding and changes need to be made. It only takes one rogue, curious, or unhappy insider to create major problems and you can bet it’s happening – all the time.
This is not just a regulatory compliance issue or in the best interest of the business – it’s also the right thing to do in order to protect client and employee information and help prevent the world’s worst information security problem – identity theft.