Feature article: Financial Firms Try to Protect Themselves Against the Insider Job
The threat of insider fraud appears to be increasing. Insider data theft accounted for nearly 16 percent of all data breaches in 2008, up from 6 percent a year earlier, according to a study by the Identity Theft Resource Center. And perhaps more alarming, customer data stolen by an employee is misused more frequently than data obtained through an external breach, a recent study by ID Analytics reveals.
Phil Neray, VP of database security company Guardium, says there are two main reasons for the rise in the insider threat: Demand for sensitive corporate data has increased, and there is now a thriving black market where fraudsters can buy and sell this type of data.
"Also, most corporations have spent the last 10 years focusing on tighter controls around the perimeter of networks," Neray adds. "It's getting harder to break into firms from the outside in traditional hacking attacks, so the bad guys are focusing on how to use insiders to get to the data."
So what can companies do to prevent the insider threat? Neray offers the following five steps:
1. Establish policies. Companies must put in place policies that define authorized and unauthorized access to sensitive data. "Unless you have a need to know, you should not be looking at sensitive data," Neray says. "For instance, one policy could be that admins in the IT department cannot share credentials with other admins, so that there's accountability. That way, you know it was Joe rather than Bob who logged in, rather than someone just logging in as 'system admin.'"
2. Provide training. "You have to train employees as to what's acceptable and unacceptable, and what kinds of things are just considered bad practice, such as leaving spreadsheets on an unattended file server."
3. Enforce policies with technology. "Many companies have policies but they don't have a way to enforce them," says Neray. Firms must employ real-time monitoring and access management technologies to enforce policies and identify and prevent unauthorized access to data. If a firm has monitoring in place and people know they're being watched and will have to have a conversation with the compliance chief or their boss if they're caught doing something suspicious, they will think twice about it, Neray contends.
4. Institute oversight processes. "You have to make sure that if you're creating audit reports and generating real-time alerts that there's an established process to review these exceptions and address them," Neray points out. This includes monitoring and approving sign-offs and escalations, and having a process in place to deal with exceptions.
5. Ensure high-level executive management support. There must be high-level support for data security to be effective. This includes dedicating sufficient resources to data security and properly prioritizing security initiatives. "This is important because in some cases you need to tell lines of business that they're using bad business practices and need to change them," Neray notes. "People don't like to change the way they do things, so you need management support to tell them to change."