 "Framework Approach: Key To Tackle Insider Threat")
According to a recent RSA-sponsored IDC report, 52 percent of organisations have labelled incidents arising from insider threats as predominantly ‘unintentional’. The report also states that employees with laptops, smartphones, PDAs, multiple e-mail accounts and access to corporate systems can prove to be a major challenge to security. Mobility and access issues comprise a threat of much wider scope than the one posed by the miniscule percentage of insiders (about 1-3 percent), who commit intentional, malicious acts.
The survey found that 43 percent of organisations have allocated a specific budget for internal security risks, and about 40 percent of organisations plan to upgrade the same over the next year, while 6 percent plan to decrease spending.
Certain instances have been reported in India too about data getting inadvertently exposed in the public domain. The website of VFS, an India-based visa processing outsourcing company, was found weak, when an Indian national was able to access confidential details of visa applicants by tweaking the URL. The other issue that caused much uproar in Indian enterprise circles was the Ministry of Home Affairs’ (MHA) proposal seeking a complete blackout of Blackberry services as they are vulnerable to espionage.
Unintentional slip of information by employees
For a very long time, insider threat was associated with employees, who had a malicious intent. However, of late, there has been a spurt of incidents where information has been exposed inadvertently or unintentionally by company employees. Organisational resources logging on to non-business websites is a common source of insider threat, where an employee visiting a loose website ultimately ends up compromising the company’s network. Various studies have shown that up to 80 percent of malware-infected websites belong to legitimate businesses. Thus, it is imperative for companies to adopt a ‘Defence-in-Depth’ strategy, which comprises multiple layers of security.
“Insider threats could be the malwares residing on various PCs of internal users, which may damage either the servers or peer PCs,” says Sameer Ratolikar, CISO, Bank of India. To counter this threat, he suggests the approach of integrating the people, processes and technology components of the business. “Anti-malware is always important, but more significantly, enterprises should implement an effective ‘Information Risk Management Framework’. This will ensure that the foundation for dealing with all such threats is strong and will help in building a good physical and logical access control system, in addition to firewalls and the NIPS (Network Intrusion Prevention System) that have the capability to prevent application attacks,” he says.
Employee education and awareness about the organisation’s information security policies and the repercussions that could arise from non-adherence are also on the list of Ratolikar’s strategies to deal with insider threats.
DRM , DLP solutions to the rescue
Murli N, head-Security, Reliance Capital, says, “Users often store project-related information even after its completion. This leads to data back-up on servers without authorisation or sufficient security attached to it”. To overcome this, Murli’s company has put in place Documents Rights Management or DRM, which helps to classify data and secure it such that only ‘authorised’ users can access it based on granular access rights provided to them (edit, print, copy etc).
“We have also implemented a Data Loss Prevention (DLP) solution, which monitors the various channels (e-mail, http, ftp, data cards, USB/ CD and print) to identify if any corporate data is being sent out,” he says. However, DLP should be carefully adapted so that it doesn’t hamper collaboration.
Vikas Desai, lead technology consultant, India & SAARC, RSA, is of the opinion that contractors and temporary staff represents the greatest insider risk to organisations. As a by-product of the recession and the slow recovery following it, many companies are increasing the use of contractors, temporary staff, and outsourcers. While not employees, they need access to corporate networks. This creates a burden for the IT staff, who are tasked with managing their access rights, monitoring their activities, and de-provisioning their accounts when their contracts expire, all the while still protecting sensitive information and meeting compliance norms.
There are many rights management technologies on the market like Seclore FileSecure that provide control of information, viz. viewing, editing, copying, forwarding and so on, based on defined policies. These policies could either be centrally defined or end-user defined. “These policies are implemented irrespective of the location (within or outside the enterprise) and therefore, collaboration is not affected,” says Vishal Gupta, CEO, Seclore Technology.
“Typing wrong e-mail addresses or a laptop theft can also lead to major insider threats,” adds Gupta. Similarly, lack of awareness also leads to insider threat incidents where business users are not aware of the value/ confidentiality of the data they are dealing with and therefore, willingly share it with outsiders and thereby, make it public.
RSA suggests the use of internal risk guards for controlling information loss through lost laptops, USBs, PDAs, mobile phones and the like.
EMC, RSA’s holding company, has formed a Critical Incident Response Team (CIRT) to proactively manage the information security within the converged organisation. CIRT, a US-based operation, functions at three levels. Level 1 handles pre-defined events and documented procedures for analysis. Level 2 deals with pre-defined events and a more free-form analysis with documented guidelines. Level 3 conducts advanced R&D including threat identification, command and control identification and threat management that includes intelligence gathering, threat validation and impact analysis. With this kind of an internal set-up, EMC is able to proactively protect its information assets.
The Final Word
Internal security risks are only going to increase as business models evolve with a dynamic mix of users and geographically-dispersed locations. In such a scenario, enterprises need to adopt a framework approach to the issue. Instead of just relying on DLP and such other solutions, it is imperative that the CIO community takes a holistic view and adopts a multi-pronged approach. Regular employee education on information security policies should be imparted. As enterprises tide over the recessionary wave, they may not have enough resources at hand to deploy new security solutions; however, nothing stops CIOs from dictating the effective implementation of policies already in place.