Subscribe
About

Beware of the user

Most internal security breaches are the fault of bunglers rather than fraudsters.
Guy Golan
By Guy Golan, MD of New Generation Solutions.
Johannesburg, 02 Jul 2008

When companies look at ways of protecting their networks, systems and data from internal security breaches, it's the danger posed by employees with malicious intent that usually is at the front of their minds.

That's hardly surprising, considering that barely a week goes by without another high-profile internal security breach hitting the headlines. In the most dramatic cases - such as the Soci'et'e G'en'erale rogue trader incident - the damage caused by a malicious internal security breach can amount to millions or even billions of dollars.

Yet, in reality, most companies face more risk that an employee will unwittingly allow a critical piece of business information to fall into the wrong hands.

According to the latest studies from organisations such as CERT, up to 85% of all security breaches originate within the enterprise; of these, about 90% are thought to be accidental rather than deliberate in nature.

And although a single fraudulent incident can cost a company a frightening amount, accidental leakages of sensitive information are thought to accumulatively cost companies five times more than deliberate security breaches by outsiders.

Imagine, for example, an employee accidentally sending a customer you sometimes compete with a list of other customers and the discounts given to them; a careless HR employee distributing salary information to everyone in the organisation; or fraudsters getting hold of customer information that was allowed to leak out of the network.

Accidents will happen

Let's briefly consider what happens when sensitive data is leaked from an organisation by accident and who is usually responsible.

User profile: Just about anyone who has access to corporate data and systems can be responsible for an accidental security breach - from the most junior person in the admin department through to the CEO. In general, the user responsible for an internal security breach is a layperson rather than a technically sophisticated user.

Nature of breach: An accidental leakage is an unplanned incident that usually takes place as the end-user simply tries to do his job. Often, the user won't be aware that a breach has taken place, and even if he does, will not try to hide the breach from the forensics or IT departments.

Technology medium: E-mail is the most common culprit for accidental information leakages - it's all too easy to mistype the name of an intended e-mail recipient or to accidentally attach the incorrect file to an e-mail and send it to a person who shouldn't be seeing it. Occasionally, a user may also lose a notebook or a USB memory stick containing valuable company data.

Temptation factor

Many companies are making heavy investments in combating fraud, yet continue to ignore the risks posed by accidental information leakages

Guy Golan is MD of New Generation Solutions.

Now, let's turn to the deliberate or malicious internal security breach.

User profile: The user responsible for a deliberate attack on a company's systems or theft of sensitive information is usually a senior person or someone close to a powerful person in the company (a personal assistant to a director, for example).

Such a person will have privileged access to company systems, data and process. The malicious user will often have sophisticated understanding of the way that these systems and processes work, and where gaps can be exploited for personal gain. There is usually a strong temptation factor in fraud cases arising from internal security breaches - the person responsible sees a financially lucrative opportunity with little risk of being caught.

Nature of breach: A malicious security breach will generally be planned well in advance and the person responsible will use his knowledge of IT systems and the company's processes to cover his tracks.

Technology medium: Malicious users will use whatever tools seem best for their goals, whether the goal is to pull off a financial transaction or to steal a piece of intellectual property. Encrypted e-mails, HTTP, print-outs, faxes and USB memory sticks are just few examples of the tools the malicious user may make use of to sneak information out of the company's property.

Rethinking approaches

In light of the risks that companies face from accidental leakages of valuable corporate information, enterprises should be rethinking their approach to internal security. Many companies are making heavy investments in combating fraud, yet continue to ignore the risks posed by accidental information leakages.

A sophisticated solution to combat fraud by internal users of a company's IT systems can cost between R5 million and R50 million. Such a solution will not usually be up to the task of picking up when sensitive information is leaking out of the enterprise as a result of an oversight or error by an employee.

By contrast, a full-featured data loss prevention (DLP) solution may cost as little as R500 000 to R5 million and will protect an enterprise against unauthorised leakages of information, irrespective of whether someone is deliberately abusing their access to privileged information or whether someone is exposing sensitive data by accident.

Future Industry Insights in this series will look at the components of a DLP solution and best practices for rolling out DLP in the enterprise.

Ultimately, a good solution will govern who has privileged access to company data and systems as well as what they have access to, stopping any information in its tracks before it ends in the hands of an unauthorised user. Whether the attempted breach was deliberate or accidental is a matter for the forensics department.

Good corporate governance dictates that companies protect themselves against internal information security risks. Whether these are deliberate or accidental in nature, the potential outcomes are the same: damage to the company's brand and reputation, loss of revenue, and exposure to the threat of litigation.

* Guy Golan is MD of New Generation Solutions.

Share