Jump to: video
The insider threat is the top security issue companies should be concerned about, say security experts from Plano, Texas-based Electronic Data Systems (EDS) Corp.
Confronting this threat requires a smart combination of technology and educational programs, they say.
The technology services company acknowledges the growing sophistication of underground cyber-criminal community, but feels the story is over-played by the media.
Defending against employees that are either malicious or just uninformed is equally important.
“There’s definitely a shift from hackers acting alone to within cyber-criminal organizations,” says Bryan Palma, vice-president of global information security at EDS. “But that story gets overplayed in the media because it is an attractive one.”
As a former U.S. secret service agent that investigated electronic crime, Palma is well aware of the threat landscape.
“The fact is someone internal can cause a lot more damage, and this is more often the case,” he says.
To rule out the possibility of an employee unknowingly compromising company security by bringing in malware on a portable media device, EDS runs an educational program. The course is not just freely available to employees, but a key part of their performance evaluation.
An annual mandatory security awareness course is updated as needed, and EDS employees must take it, says Dave Morrow, chief security and privacy officer.
“It won’t let you print your certificate until you complete the quiz and pass it,” he says. “So if there’s a group of employees out there who don’t take it, we’ll hound them until they do it.”
To complement the security certification program, EDS regularly posts information about the latest security issues to their intranet, or delivers it through mass e-mail. Managers are instructed to evaluate employees based on their knowledge of the information and actually practicing the security measures.
“We’ve sent out a podcast message from Ron Rittenmeyer [EDS chairman], or a mass e-mail reminding people about identity theft and what they can do to avoid it,” Morrow says.
Multi-media interaction with their worldwide employee base is also a part of security at EDS, according to Peter Reid, chief privacy officer. A two-hour broadcast planned for later in May will focus on protecting confidential information and target sales and support staff.
For employees who miss the live broadcast, it is recorded and can be downloaded for view from archive.
EDS security chief Bryan Palma.
But when the insider threat changes from an issue of education to an issue of stopping a determined employee with malicious intent, EDS relies on rigorous screening and technology to prevent sensitive data loss.
The first line of defence at EDS is a full-blown background check and drug test on employees entering the company, Morrow says. He is surprised the practice is not more widely used.
“We catch some people that really shouldn’t be coming in and turn them away,” he says.
Once employees get past screening, they are only given access to the data and applications they need to do their jobs.
“You don’t want a guy working the third shift in the datacenter looking at the payroll files,” Morrow says. “There’s no need for that.”
Data loss prevention tools are also at work auditing employee actions. One such application filters out e-mails containing credit card information or social insurance numbers that shouldn’t be sent out of the company.
The employee attempting to send the information receives an e-mail back informing them they shouldn’t be sending that information outside of the company.
Another application at EDS monitors payroll files. It is important to track even the users that have the right to access such information, Morrow says.
“If you have legitimate access to payroll, that’s fine, but I still want to know what you’re doing with that data,” he explains.
Active directory technology and encryption of data at rest and in transit also helps to complete EDS’ plan to prevent data loss from insider threat.
As a company responsible for a massive amount of data – possibly the most in the world – the company founded by Ross Perot in days when IT was still in its infancy, EDS now hopes to share the expertise it has developed in-house with more clients.
“We’ve got a huge base of expertise,” Palma says. “We’ve got people that have been doing security for 20, 30 years.”
With CIOs consistently listing data security among their top 10 issues and the market growing at a rate of 16 per cent annually, there is plenty of opportunity for EDS, the vice-president adds.
They’re going to begin offering security services to clients as a stand-alone service, not as part of a package with IT outsourcing.
“This is a very exciting change,” Palma says.
And one more possible line of defence for companies worried about an insider threat compromising their sensitive data.