Five steps security managers can live by in protecting sensitive company data from desperate employees tempted to steal secrets.
By Mark Fullbrook
According to figures released in June by the Office for National Statistics, the redundancy total for the three months to April 2009 stood at 302,000 – that’s up 36,000 over the quarter and 191,000 across the year. In fact, it’s the highest figure since comparable records began back in 1995.
However anxious these times may be for employees, with many of them nervously looking round to see where the axe will fall next, employers should not be complacent and expect loyalty in return for a regular pay packet. In fact, the opposite could well be true. As the saying goes: ‘Desperate times call for desperate measures’.
In a recent Cyber-Ark survey entitled ‘The recession and its effects on work ethics’, carried out among 250 office workers in London’s busy Canary Wharf, a staggering 60% admitted they would take valuable data with them (if they could get away with it) were they faced with redundancy or the sack.
Remarkably, 40% confessed to having already snooped around the networks and downloaded sensitive company secrets from under their boss’ nose in anticipation that they could lose their job.
What’s top of the list to be stolen?
Top of the list of desirable information to steal is customer and contact databases, with plans and proposals, product information and access/password codes all popular choices and having a perceived value. That value being either monetary to an unscrupulous third party or as a negotiating tool in securing a new position.
In a separate Cyber-Ark global survey – this time conducted under the title ‘Trust, Security and Passwords’ – involving more than 400 senior IT professionals both in the US and UK (most of them from enterprise class companies), 35% admitted to accessing corporate information without authorisation.
The types of information this audience would target was proprietary data and information that’s critical to maintaining competitive advantage and corporate security. Ominously, one-in-five companies confessed to having experienced cases of insider sabotage or IT security fraud.
When staff steal data and engender a security incident, it tends to be filed away as an example of an ‘employee gone bad’. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems, or indeed have any controls actually in place to actually manage and control staff from causing breaches.
The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices versus the stark reality that this control is most often not in place across the organisation.
What, then, can be done to protect sensitive data from an increasingly unsettled – and to some extent desperate - workforce?
Trust is not a security policy
To significantly cut the risk of these insider breaches, employers must have appropriate systems and processes in place to prevent prying personnel.
One approach to address this challenge is a privileged identity management holistic approach using solutions such as digital vaults. These are particularly valuable for users with high levels of enterprise/network access as well as those handling sensitive information and/or business processes.
Instead of trying to protect every facet of an enterprise network, digital vault technology creates safe havens – distinct areas for storing, protecting and sharing the most critical business information – and provides a detailed audit trail for all activity associated within these safe havens. This then encourages secure employee behaviour and significantly reduces the risk of human error.
For organisations serious about preventing internal breaches, be they accidental or malicious, there are five steps you can employ to protect company data from desperate employees tempted to steal secrets for gain.
Step 1: Establish a safe harbour
By establishing a safe harbour – or vault – for highly sensitive data (such as administrator account passwords, Human Resources files or intellectual property including corporate databases), security is built directly into the business process independent of the existing network infrastructure. This will help protect the data from the security threats of not only nosy employees snooping around for information they should not be privy to, but also from hackers.
A digital vault is set up as a dedicated, hardened server that provides a single data access channel with only one way in and one way out. It’s protected with multiple layers of integrated security including a firewall, VPN, authentication, access control and full encryption. By separating the server interfaces from the storage engine, many of the security risks associated with widespread connectivity are removed.
Step 2: Automate privileged identities and activities
Ensure that privileged administrative and application accounts (as well as their underlying passwords) are actively managed, secured, changed regularly, highly guarded from unauthorised use and closely monitored. This includes full activity capture and recording.
Once these privileged identities are being managed, make sure to proactively monitor and report actual adherence to the defined policies. Also, adopt the well-accepted security maxim of ‘Trust, but verify’. This is a critical component in safeguarding organisations. It helps to simplify audit and compliance requirements, as companies are able to answer questions associated with ‘who’ has access and ‘what’, exactly, is being accessed.
Step 3: Identify all of your privileged accounts
The best way to start managing privileged accounts is to create a checklist of operating systems, databases, appliances, routers, servers, directories and applications throughout the enterprise.
Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, organisations can easily create a plan to secure, manage, automatically change and log all privileged passwords.
Step 4: Secure embedded application accounts
Up to 80% of system breaches are caused by internal users, including privileged administrators and power users who accidentally or deliberately damage IT systems or release confidential data assets.
Many times, the accounts leveraged by these users are the application identities embedded within scripts, configuration files or an application. The identities are used to log into a target database or system. The fact that these credentials are traditionally hard-coded, in clear-text and usually never changed is often overlooked within a traditional security review.
Even if located, the account identities are difficult to monitor and log because they appear to a monitoring system as if the application (not the person using the account) is logging in.
These privileged application identities are being increasingly scrutinised by internal and external auditors, especially during PCI- and Sarbanes-Oxley driven audits, and are becoming one of the key reasons that many organisations fail compliance audits.
Therefore, organisations must have effective control of all privileged identities – including application identities – to ensure compliance with audit and regulatory requirements.
Step 5: Avoid bad habits
To better protect against snoopers, organisations must establish Best Practice for securely exchanging privileged information. For instance, employees must avoid bad habits (such as sending sensitive or highly confidential information via courier).
IT managers must also ensure they educate employees about the need to create and set secure passwords for their computers instead of using sequential password combinations or their first names. We don’t want to make life easy for would-be thieves.
The risk of internal data misuse from snoopers can be significantly mitigated by implementing effective policies and technologies. In doing so, organisations can better manage, control and monitor the power they provide to their employees and systems and avoid the negative economic and reputational impacts caused by an insider data breach.
It would be unthinkable to leave money on a desk. That’s an obvious temptation to anyone passing by. Instead it’s always safely locked away. The time has come for companies to give sensitive information and key systems the same consideration. As always... ‘Trust... but verify’.
Mark Fullbrook is the UK director of Cyber-Ark Software
