The insider threat has always existed, but in an era of economic upheaval and uncertainty, the problem is only magnified.
A recent Ponemon Institute LLC survey of 945 people who were laid off, fired or quit their jobs during the past year found that 59 per cent admitted to stealing company data, and 67 per cent used their former companies’ confidential information to leverage a new job.
How far should IT managers go to protect corporate data?
“There’s a balance,” says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics USA Inc. in Long Beach, Calif. “I wouldn’t want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute.”
At the same time, Pioneer is determined to protect its intellectual property, customer-service lists and other sensitive data.
“I don’t want a disgruntled employee trying to take a bunch of information,” Reissmueller says.
That’s a main reason the company has installed network access-control gear to monitor traffic to the “crown jewels,” to keep an eye on whether employees are trying to overstep their authority.
Using a ConSentry switch and network access-control product, Pioneer will watch for patterns that might reveal wrongful behavior and block it. “But I don’t want my security staff to become Big Brother,” Reismueller says.
All it takes is a data-leakage case to compel organizations to beef up their monitoring.
The University of Arizona went through a few data-leak imbroglios in which it had to make public notification about exposed personal data, says Eric Case, information security officer there.
That induced the university’s information and security office to kick off a program that involved making sure that faculty and staff there weren’t leaving sensitive data lost and forgotten in computers.
To determine that, the university has deployed data leak prevention freeware called Spider that can look into a targeted machine to see if it’s holding data that shouldn’t be there in order to either delete it or move it to a more secure server.
Although the security staff did explain in depth what it was up to, “we had a couple of people freaked out because we were looking at their files,” Case says, speaking about the topic at the recent Infosec World conference in Orlando.
“They were upset.”
But after calming people down, the data leak prevention process had to proceed because “we know we have data all over the place,” Case says. “Have we reduced our threat surface? Quite a lot.”
Rick Haverty, director of IS infrastructure at the University of Rochester Medical Center in New York, says laws and regulations his organization must abide by regarding patient health care information leave no choice but to confront instances in which it appears that employees may have broken rules.
One concern is an employee taking a sneak peek at someone’s medical records without cause.
“People have been fired for this,” he notes, adding that the start of an investigation usually involves a complaint about someone gossiping about a patient’s medical circumstances.
An investigation would generally involve examining log records to determine whether inappropriate access to records may have occurred.
Gartner Inc. analyst John Pescatore says the key word to think about is how “closely” to monitor employees.
“There is definitely a requirement to monitor critical business data leakage from employees and a requirement to monitor what comes into their PCs to prevent malware,” Pescatore says. “However, in the real world, there is less of a need to monitor every action a user takes, block them from every Web site that is not work-related or try to keep them from using their work PC for anything but work, or keep them from using their home PC for work.”
The trend toward work/home mixing is under way, he points out, and “security can’t stop this any more than it could stop the Internet, wireless LANs or other previous trends.”