By Calum Macleod

Here I’ve been for years advising supposedly concerned Compliance Officers (CO) about the risks posed by their IT staff, or even worse their For-Ex dealers, who are all petty criminals waiting to steal company secrets and misappropriate funds, and then lo and behold I walk into a company a few weeks ago and discover they’ve just fired their Compliance Officer.  It was a minor indiscretion.  He had simply accessed every contract that the company had to ensure that the company was complying with all the relevant policies.  And everyone was convinced that their CO was just doing his job in the diligent pursuit of internal evil doers only to discover that he was being handsomely rewarded by the competition.  After all you can only lose so many deals and blame it on bad luck!  He was the biggest evil doer of them all! 

It seems that it doesn’t matter where you look these days; you can’t trust anyone and herein lies the crux of the problem faced by many organizations.  They assume that their employees can be trusted not to do something stupid or they can trust their employees because they’re all basically honest.  Unfortunately it’s the honest ones that are most often the victims and very often an organization’s failure to grasp the magnitude of the damage one dishonest or careless employee can cause that results in the disasters we keep hearing about.  Whether it’s careless employees working for the Government or unscrupulous employees working in the financial sector the end result is the same.

Every organization today, no matter how small or large needs to ensure that privileged access to systems is controlled and that confidential data is secure.  And a key factor in this is ensuring that people in positions of responsibility understand what they’re doing.  The example of the CISO of a UK Fortune 100 company who stated that the M&A data about planned acquisitions was secure because the server was in the boardroom may not be typical of the level of CISOs but it only takes one idiot to give you all a bad name -- or for that matter one Compliance Officer on the take to have every Compliance Officer labeled as a crook.

The lack of sufficient internal controls result in data breaches, denial of service attacks, and compliance review failures and the key areas of vulnerability are privileged users access controls both inside and outside the network, confidential data exchange via public networks, and securing highly sensitive data inside the network.  The insider threat is the #1 security risk for enterprises today, primarily because it is clear that insider incidents perpetrated by using system administrator or privileged account access are responsible for 9 out of 10 breaches in data security.

Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organizations and enterprises.  These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organization’s business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.

Common solutions such as mail (CDs in the post for example), e-mail or FTP suffer from several disadvantages.  Distributing vast number of documents via mail is cumbersome and hard to track.  FTP solutions are not reliable or secure. E-mail solutions, including encrypted e-mails, are also not reliable because they are dependent on the recipient’s e-mail infrastructure.  Large files or encrypted files often tend to fail e-mail security policies and bounce back.  Organizations need global accessibility and connectivity while maintaining security.

As an IT security advisor at Cyber-Ark, this is the advice I give my clients to suggest how they should go about protecting their data.  Information needs to be protected from unauthorized modification, deletion, and exposure.  Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers.  For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications.  In order to build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure. 

1. Ensure you have visual auditability -- Owners of information need to actually see what happens with their information at all times.  Combined with auto-logging and auto-alerting, it ensures that an organization has a prevention and detection mechanism.

2. Separation of duties must be possible between the owners of the information and the administrators of the information.  In other words there is no need for IT staff to be reading employee contracts, unless of course he or she is doubling as head of HR!

3. Dual control ensures that highly sensitive data can only be accessed provided it has been authorized by another person.

4. Data should always be backed up in encrypted form, and kept encrypted even while on backup media, to prevent unauthorized disclosure.

5. And access should be controlled based on user location.  In other words it’s not the employers’ responsibility to help an employee show-off to the cute blonde in the Internet Cafe.  Make sure that if the information is for internal use only then that’s exactly where it stays.

No organization is immune to the risk of exposure, embezzlement, embarrassment.  There is no such thing as the 100% trustworthy work force, and especially when you’re outsourcing or using contract staff.  How many organizations can echo the sentiments they have been cheated by someone and they have no idea when.  And they make up their mind that it has to come to an end.  So let’s just say that since people have a habit of letting you down its time you ensured your data is secure and locked away.  As someone once famously said, “I generally avoid temptation unless I can’t resist it”. 

Calum Macleod is European Director for Cyber-Ark  (www.cyber-ark.com).