Employees with access to sensitive data remain a critical security vulnerability - but there are practical steps for addressing the issue from within.
The Edward Snowden leaks highlighted that if the NSA can have its sensitive documents stolen by an employee, anyone can. According to the 2015 Vormetric Insider Threat Report, 89% of global respondents felt that their organisation was now more at risk from an insider attack with 34% saying they felt very or extremely vulnerable.
According to corporate security firm Espion, while the frequency of cyber incidents is on the rise, hackers trying to gain access to critical information are not always to blame, with insider involvement remaining a significant problem.
The methods used to transfer data can include uploading to online network storage, email transmission, storage on local media including USB memory sticks, CD’s or DVD’S and other data exfiltration methods. The information sought by hackers is multifaceted and varied and depending on the nature of the target’s business can include; intellectual property, financial information, customer or client related information, project plans, business presentations, blueprints and personnel details.
'Insider abuse is more difficult to detect, as the perpetrators often have legitimate access to sensitive data and removing it may go completely unnoticed,' said senior Espion consultant John Hetherton, commenting on incidents of security breaches from within organisations. 'Whether opportunistic or disgruntled with their employers, the threat from the inside becomes more serious, as these employees have access to the company’s best kept secrets and insider knowledge of security weaknesses.'
'Insider attacks can cause significant damage to companies and the consensus indicates that as workers become concerned for their futures, the likelihood of an insider attack increases.'
With that in mind, Espion offers twelve tips for addressing the issue from within:
Ensure that organisational policies are unambiguous regarding the classification and protection of information. Policies should stipulate controls commensurate to the value of the information; the more valuable the information the more rigorous the controls. These controls should state protection measures for information at rest and in transit.
All staff should sign confidentiality and non-disclosure agreements when joining the organisation.
Where BYOD is an option, the organisation should implement technical controls, protecting company information which may be held on personal devices.
Know exactly where all the organisation’s key information is stored and how that information may legitimately enter and leave those repositories.