Fear of insider threats hits home

IT security technology soaks up a lot of the security budget, but companies are starting to see that the insider threat posed by employees is just as important

The more money that companies spend on securing their IT operations from external attack, the more it seems they become aware that the potential threat posed by their own employees remains their most significant risk.

A new study published by consultants Deloitte on Tuesday finds that financial services companies -- among the most advanced and deep-pocketed consumers of security technologies in the world -- are still struggling with the concept of handling the insider threat issue despite all the cash they're dropping on security technologies.

In the survey of 100 global financial services firms, Deloitte found that 91 percent of those questioned were concerned about their inability to respond to insider threats, while 79 percent were willing to cite "the human factor" as the root cause for a majority of their security issues.

Despite that and all the different types of security tools companies have adopted, the survey found that 22 percent of the companies interviewed hadn't provided any new security training to their workers in the past year, and only 30 percent indicated a belief that their current employees were skilled enough to respond to an emerging security crisis.

The apparent lack of faith in their ability to control the insider threat shows that many businesses are aware that they are only just beginning to tackle the problem, report authors said.

"The contradictory findings highlight the security paradox financial institutions are facing," Mark Steinhoff, leader of the firm's financial security and privacy services practice, said in the report. "Security training and awareness, along with access and identity management -- of employees, clients, and suppliers alike -- are among organizations' top initiatives this year as they fight to keep pace with the ever-changing threat landscape."

Beyond training, more companies are also enlisting the help of additional security systems aimed specifically at thwarting internal attacks and preventing mistaken data breaches.

In addition to tools that offer the ability to track IT systems usage more comprehensively -- and create electronic paper trails that give forensics experts a string of clues when investigating any misbehavior or mistake -- enterprise organizations claim that they are also blending physical and IT security to stay abreast of what their workers are up to.

"We've been putting cameras on all entrances and exits, looking at using badge numbers for tracking purposes, and keeping a closer eye on what people are doing and where they are going," said Adam Le, director of IT infrastructure at Alliance Imaging, a healthcare testing specialist. "We're also contemplating things like fingerprint scanners and other biometrics and looking at encrypting all data at rest on laptops."

Companies walk a fine line in balancing the need to watch over their workers for security purposes and becoming too intrusive, the expert admitted. However, Le said that with businesses like Alliance facing mounting pressure from regulators to lock down every piece of patient data they record, employees must understand that the process is about protecting the firm and not about assessing personal work habits.

In another effort to deal with the insider threat, Alliance, which provides outsourced medical imaging capabilities to hospitals and other healthcare organizations, has added new user authentication and monitoring tools made by ConSentry to its IT environment.

By increasing security for remote workers and giving the firm a more detailed roadmap of file access activities carried out by its employees and customers, Le said he believes Alliance is finally getting ahead of the insider problem and arming itself with a way to keep everyone honest.

One of the most significant issues the company has dealt with in the past are efforts by insiders to view the records of famous or high-profile patients, activities that are directly at odds with the Health Insurance Portability and Accountability Act medical data protection regulation.

In some cases, the incidents have been the result of mere nosiness, while in others, the firm suspects that workers may have been looking to share sensitive data with outsiders for a profit.

After conducting both technological and physical penetration tests on its operations, Le said that Alliance feels it is making the right moves to address the issue after augmenting its operations as such.

"With the threat of data theft for identity fraud or to get information on our high-profile customers, we had to work to get a better picture of who was accessing what files," said Le. "Since putting the tools in place, we've been able to track people down when they do something wrong, and I think that type of response travels among workers by word of mouth; overall those types of issue have almost disappeared now that people know that their activities will be monitored."

Data leakage prevention tools become more popular
Another angle on preventing insider data breaches is being pursued via the use of so-called DLP (data leakage prevention) tools.

At WebEx, the well-known online conferencing applications vendor, Security Engineering and Operations Manager Mike Machado said that the company is using advanced DLP technologies made by Reconnex to ensure that workers aren't walking out of the building with the company's next big idea.

"Up until now, we didn't have anything in place that could capture everything that goes over the wire, but the ability to use technology do to do this type of testing, versus doing sampling in the past, has given us a much clearer picture of where data is going on the network and who is touching it," Machado said.

"Most of the incidents we find today are people unaware of policies, it's only occasionally that we find something malicious, but typically the result is a simple behavior discussion, and that's helping people expand their own understanding of what they should or shouldn't do," he said.

Another advantage to using DLP to keep an eye on all the data being transmitted out of WebEx's network is that the tools serve as another proof point to show external auditors when those groups are testing to see if the firm is employing comprehensive information protection.

Perhaps the best use case for the technology yet, however, is when WebEx used the tools to catch an employee attempting to participate in a malware-distribution ring.

In addition to joining sides with the malware gang, the employee had also agreed to allow the group to use excess WebEx network capacity to harbor potential attacks -- a problem that would have reflected poorly on the entire company if it were discovered and publicized, said the expert.

"It's taught us that a lot that goes on that we know didn't about and verified things we suspected. Overall, it's been a valuable tool for detecting problems and putting us in position to prevent bigger problem down the road," Machado said. "In the rare case we find something to investigate, the technology gives us a much more credible case."

The tools have also proven useful for helping the WebEx 's IT security team closer ties with the company's traditional security unit, which has helped the firm coordinate efforts to look for suspicious employee user behavior and policy violations.

"Because we were able to help them shed light on some valuable issues, the technology has really closed the loop in that sense," Machado said. "The relationship wasn't always very good, but now, they're willing to be more forthcoming with us, and we can rely on each other more to reach our common goals, which is a big advantage."

Some experts contend that companies will spend the next several years loading up on technologies that can help control insider threats now that they have invested so heavily in network defense protections.

Brian Contos, chief security officer at ArcSight, an IT security management specialist, said that businesses must consider the insider problem as a dynamic, ever-changing issue, much like protecting against malware, if they hope to stay ahead of major incidents.

"The network security side of things has increased at a much faster rate, but it's still the Wild West to a certain extent inside many large companies when it comes to protecting applications, databases, and other systems with a lot of rich data stored in them," said Contos, who previously authored the popular insider threat tome Enemy at the Watercooler.

"To be successful, you can't ever be more concerned with internal or external threats. In reality you have the very real chance for either type of attack on a daily basis," he said. "The vast majority of employees, almost all, are not malicious, but you have to constantly watch for that one person who obtains employment deliberately to cause harm or who becomes disgruntled and decides to use what they know against you."