The internal threat: preventing and tracking data leakage
A recent study highlighted that out of 400 IT professionals from the UK and US, 74 percent have possible access to company information that is not relevant to their role. Additionally, to add to the concern, 35 percent of these employees admitted to 'snooping'.
This combined with numerous company redundancies that have occurred in the last 12 months and the consequential rise of the disgruntled employee, can mean confidential and highly valuable company data can be taken or leaked from the organisation and be used for malicious intent or financial gain.
Brian Cleary, vice president of products and marketing at Aveksa, said: "The natural curiosity of employees to view the private records of political figures and celebrities is leading to people losing their jobs or being criminally convicted. Most of the these workplace incidents are not tied to identity theft or other bad intentions, they may just simply be employees taking advantage of a lack of access policy controls at the companies they work at without realising the privacy laws they are breaking and the risk they are exposing their organisations to.
"Just last year, it was revealed that Verizon had fired several employees who had looked at the mobile phone records of newly elected president Barack Obama. Politicians and celebrities use mobile phones, apply for passports and seek healthcare at major hospitals just like everyone else. Employees at these organisations need to realise the danger that even sneaking a peek at these records can cause to them and their employers. The real fault for these problems is not with the natural curiosity of employees but rather with the poor controls for how user access is governed at these organisations. To be effective and consistently applied, policies need to be instantiated as a set of automated controls not just in the corporate security policy ring binder.
"There needs to be more focus on ensuring that employee entitlements to information resources are required for their particular job function and better access controls to sensitive data. It is not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted, transferred or put on loan to another department within the organisation. Users that drag entitlements that are not needed in their new role may create toxic combinations of access that often result in segregation-of-duties violations or create other business risks. These are surprisingly common problems in large organisations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of access privileges.
"Organisations that leverage a role-based access governance approach are able to put automated, preventative controls in place for access delivery and access change management that ensures user access is appropriate for a particular job function or process role. Access to information resources including personally identifiable information, is now governed based on a valid business reason for access, which will mitigate business and compliance risk."
Jon Rolls, VP of product management at ScriptLogic, said: "Businesses are still not enforcing a range of security measures to ensure internal data leakage does not take place. Organisations need to apply security policies to all computers and ensure strong access controls are in place, as well as lock down laptops and restrict use of removable storage, to limit the data users can access or store locally on their laptops. Yes, in this economy, with dwindling IT budget, it's hard to find money to invest in solutions to put all these controls in place; however the cost of failing to do so is so much higher.
"Simple security measures can go a long way in protecting a business' IP, but the IT department has to put a plan in place to enforce those tactics, and use solutions which automate and centralise management of security in order to achieve this in a timely and efficient fashion.
"The rise of the disgruntled employee could mean valuable data can be extracted and offered to competitors or uploaded for the public to see. However, there are third party solutions which now make it easier for IT administrators within companies to audit file access, generate simple compliance reports, and create alerts tied to file system events to protect sensitive information. A file system auditing solution provides the ability to report any attempts to access and modify files and folders, by who and when."
"The reports are increasingly useful if a data leak has occurred because the company can determine whether the breach was malicious or not, which computer was used and who sent what to whom. These reports can also be used to back claims up in court if they are being prosecuted."
