BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach

by Nate Lord, Digital Guardian, June 3, 2015

Despite all of the security risks BYOD poses to an IT environment, the trend of businesses embracing bring your own device in the workplace continues to grow at a rapid pace.

Some of the main reasons companies of today are so accepting of BYOD in the workplace usually relates to employee satisfaction and increased productivity: employees who are permitted to use their own devices in the office are generally more satisfied and some 43% of employees connect to their emails on their smartphones in order to get ahead and ease their workload.

Since it seems that BYOD is quickly becoming the new standard in workplace technology rather than an exception, we wanted find out how companies who are already investing in a BYOD workplace, or are planning to do so in the near future, are keeping their data secure. To do this, we asked 30 data security experts to answer this question:

“How can companies keep data secure in a BYOD environment?”

Paul Hill @SyExperts

Paul Hill is a Senior Consultant at SystemExperts, an IT compliance and security consultancy, and works to provide clients with both strategic and practical guidance to build effective security organizations.

To have a successful BYOD program, companies must…

Maintain the security of their systems and the confidentiality of data. The four most basic BYOD technical controls that a company must implement are:

  • The company must know what devices are being used legitimately, so each device should be registered and authorized.
  • A PIN or pass phrase must be used to access the device.
  • The ability to remotely lock and wipe the device must be enabled.
  • Employees must report lost or stolen devices in a timely manner so that they can be locked and wiped.

Additionally, a successful BYOD program should include policies and training to protect both the company and the employee:

  • Do have policies that require employees to waive all liabilities in the event that the company remotely locks or wipes a device.
  • Do have relevant acceptable use policies that also describe what is prohibited, such as using jailbroken devices.
  • Do provide security awareness training about the risks associated with mobile devices and the importance of timely reporting of lost or stolen devices.

To see what all the experts have to say go to Digital Guardian.

8 Android security tips for IT, corporate users

By James A. Martin, CIO.com, May 20, 2015

A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS.

The security pros interviewed for our article, “Experts bust Android security myths,” offered up the following eight Android security tips for IT administrators and users:

1) Don’t root that Android device

“To do significant damage in the mobile world, malware needs to act on devices that have been altered at an administrative level,” according to Dionisio Zumerle, principal research analyst atGartner. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices …

While these methods allow users to access certain device resources that are normally inaccessible … they also put data in danger.”

2) Don’t overlook Android security or focus only on malware

“Perhaps one of the biggest risks of mobile malware is the fact that mobile malware, in itself, is not yet abundant,” says Domingo Guerra, president and cofounder of Appthority. “This creates a false sense of security in government and enterprise organizations.”

Guerra also identified a number of additional Android risks, including “corporate data exfiltration, poor app development practices, mismanagement of user names and passwords, poor implementation of encryption, and data harvesting and sharing for marketing purposes.

“These risks are often overlooked by shortsighted, malware-only security strategies,” Guerra says.

3) Don’t install Android software from unofficial app stores

“Only install apps from the Google Play store that are from known and trusted developers,” says Terry May, an Android developer with Detroit Labs. “It would also be a best practice to take advantage of the multiple users feature in Android and have a user account that is just for enterprise.”

4) Pay attention to Android app permission requests

Reading an app’s access requests is critical, according to Mark Huss, senior consultant at SystemExperts. For example, a flashlight app doesn’t need access to services that cost you money (such as SMS messaging), system tools, your call list or any personal information, network communication or location service, Huss says.

5) Always keep Android software and firmware updated

“Always check for available firmware updates and patches and download the latest version if possible,” says Gleb Sviripa, an Android developer at KeepSolid. “The newer the version is, the fewer the chances that hackers can attack your device.”

6) Install security and VPN apps

It’s simple to find a plethora of security apps for Android. Look for apps that scan for malware and block apps from non-approved sources, according to Geoff Sanders, cofounder and CEO of  LaunchKey. Disk encryption should be enabled, and apps that have “overreaching access to potentially sensitive data” should be denied, he says.

When surfing the Internet, Android devices should be protected with virtual private network (VPN) software such as VPN Unlimited, Sviripa says.

7) Organizations should set and enforce clear access policies

Companies need to be clear about the sensitive materials that users can access via mobile devices and ensure those devices have “the right infrastructure in place to protect against mobile threats,” according Swarup Selvaraman, senior product manager at Dell SonicWALL.

8) The four basic tenets of Android security

Troy Vennon, director of Pulse Secure’s Mobile Threat Center, says enterprise mobile security boils down to following four essential steps: Disallow rooted and jailbroken devices; ensure that devices are protected by passwords; keep devices updated; and require users to connect through a VPN.

 

Data Leak Prevention Tools: Experts Reveal The Biggest Mistake Companies Make Purchasing & Implementing Data Leak Prevention Software

By Nate Lord, Digital Guardian, May 14, 2015

Due to their size, enterprises have many security issues to consider when establishing a comprehensive data security strategy. One security need that is especially critical for larger companies – because they typically have many employees and large volumes of sensitive data – is proper data leak prevention.

As a provider of data loss prevention solutions to many enterprise companies, we wanted to learn more about some of the most common (and avoidable) mistakes companies make when using data leak prevention tools. To do that, we asked a group of data security experts this question:

“What’s the biggest mistake companies make in purchasing and implementing data leak prevention tools?”

See what our experts had to say below:

Paul Hill is a Senior Consultant with SystemExperts, an IT compliance and network security consultancy.

The biggest mistakes that companies often make when purchasing and implementing data leak/loss prevention (DLP) fit into the following categories:

  • inadequate risk analysis prior to product selection
  • inadequate investment of time in configuration and tuning
  • failure to set expectations with business units
  • failure to work closely with business units when tuning the configuration

Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web applications, and even paper copies.

The risks of each mechanism should be assessed to then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.

DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this, many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.

Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.

DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting expectations and working with the business units to tune the system so that normal processes are not disrupted.

To read what the other experts say click here.

10 Security Questions To Ask A Cloud Service Provider

By Erika Chickowski, Contributing Writer, Dark Reading, May 12, 2015

Erika Chickowski of Dark Reading posted a slideshow of the most important security questions companies should ask cloud providers in order to evaluate the risk of using that service. Paul Hill, senior consultant, SystemExperts, contributed two questions for the article:

Do you encrypt all data transmissions, including all server-to-server data transmissions, within data centers?

“Security is only as strong as the weakest link. While it is very common to encrypt the traffic between the customer and the service provider in order to ensure integrity and confidentiality, it is less common for service providers to encrypt intra-server communications within the companies own perimeter. Too often attackers are able to exploit this type of weakness once a single breach in the perimeter has occurred.”

Do you allow customers to perform scheduled penetration tests of either the production environment or a designated testing environment?

“Penetration testing is a common method used by companies to ensure their systems are well defended from attacks. Cloud service providers that allow customers to perform such testing are willing to be transparent about their security practices and also likely to be confident that their systems are well secured.”

To read other questions you should ask click here.

Is your business data really secure?

Joe Stangarone, writer,  MRCs Cup of Joe Blog, March 24, 2015

Summary: With data breaches on the rise, security becomes more important than ever. Is your company (unwittingly) putting your data at risk? Are you following best practices for data security? Learn 7 ways to better secure your data.

They say that “any press is good press.” But, I’d guess that any of those companies who suffered widely publicized data breaches recently would argue with that.

Does it feel like data breaches are becoming more frequent? It’s true. A recent IBM report finds a 12% year-to-year increase in security incidents. What’s worse: These breaches lead to reputation damage, lost productivity, and lost revenue.

With that in mind, let me ask you a question: Is your business data secure?

What steps are you taking to ensure that your company doesn’t make the news for a security incident? Today, let’s focus on that topic. How can you keep your business data secure? While the list could be much longer, here are 7 important tips:

1. Avoid spreadsheet overuse
Let’s start off with one of the biggest threats to data security: Spreadsheets. Many businesses put their data at risk because they rely too heavily on spreadsheets. They store critical business data in spreadsheets. Or, they export data from their business systems into spreadsheets for reporting.

Why is this such a problem? Once your data is in a spreadsheet, it’s vulnerable. What happens when a user shares that spreadsheet with other users? What happens when those users edit the data and share it with others? Soon, you have multiple versions of the same data floating around, beyond your control.

Which version is accurate? How many different spreadsheets exist? Where are they stored? Did any users make a data entry mistake, or somehow tarnish the data? There’s no way to know. How bad is this problem? Studies have found that over 80% of spreadsheets contain critical errors. User groups now exist to warn businesses about the dangers of spreadsheets. If your company still relies heavily on spreadsheets, your data is already at risk.

2. Create password policies
End users have notoriously bad password habits. How bad? According to this annual list of the most popular passwords over the last year, “123456”, “password”, and “12345” top the charts. That’s right. It’s that bad. Without a strict password policy, your employees can unwittingly put your data at risk with weak passwords.

3. Use 2 factor authentication
Now, a strict password policy helps, but it’s just one step in the process. What happens if a hacker gains access to one of your employee’s passwords? How can you protect your data?

Two-factor authentication (2FA) is a great way to combat this risk. It adds a second layer of security to your applications. Rather than identifying users with a single factor (user/password), it adds another identification factor–usually a pin number delivered via sms. This is a great method to add extra protection to your most sensitive data.

4. Monitor user workstations
Here’s another password-related problem: How will employees remember multiple, complex passwords? If you impose strict password policies, users need a way to remember their passwords.

What do they do? Many write their passwords on sticky notes and leave them on their desks–defeating the point of a password in the first place. To combat this, perform periodic security checks on your employee’s workstations.

5. Hold security and awareness training
Hackers aren’t usually the biggest threat to your data security. The fact is, uninformed employees are often your biggest threat. Many don’t understand proper security habits. They don’t realize their actions put the company at risk. It will stay that way unless businesses ensure that their users understand best security practices.

6. Create a good rapport with end users
In some companies, there’s a disconnect between the IT department and the end users. Both sides have an “us vs. them” mentality. The users feel like IT gets in their way, and the IT department feels like users can’t be trusted. The problem is, this disconnect puts your business data at risk.

If end users don’t respect the IT department (or vice-versa), do you really think they’ll respect their security policies? No.

7. Limit data access
Allowing too much data access is another critical security mistake businesses make. They give users access to all of their data. This opens the business up to all sorts of security risks. For instance, what happens if a user decides to copy data to a personal device and bring it home? What happens when a user accidentally deletes data, or enters new data incorrectly?

“One of the most important steps in keeping business data safe is to tightly control access to any sensitive data, and that includes administrators, says Jon Gossels, President of SystemExperts.

Nobody should have access without oversight and logging.

Make sure that every user has the least privileges necessary to perform their job and that every user has his own unique login credentials so that actions can be traced.

If you have computers on-site, make sure they are used only for business (e.g., don’t allow anything to be downloaded or for people to browse the Internet), and make sure you have constantly updated anti-virus software running at all times – and keep those computers isolated/segregated from any other networks or computers you may have.”

SMB Awareness of Breach Notification Laws IndustryView | 2015

by Daniel Humphries, Managing Editor for IT Security research firmSoftware Advice, February, 2015

Currently, 47 U.S. states have security breach notification laws, which require organizations that store sensitive information to notify customers and clients if their personal data is breached. In this report, we investigate how aware decision-makers at small and midsize businesses (SMBs) are of the laws that apply to their firms, and examine the contents of those laws. We also provide advice from leading cybersecurity experts on how best to avoid breaches, fines, lawsuits and reputational

Key Findings:

  1. Only 33 percent of SMB decision-makers we surveyed are “very confident” they understand their state’s data breach notification laws.
  2. Less than half of our survey respondents (49 percent) say their company already has a breach response plan in place.
  3. The vast majority of SMB decision-makers in our sample (82 percent) say that their business encrypts customers’ personal information.

In January 2015, President Obama proposed new federal legislation that would require organizations to alert customers within 30 days of discovering that their personal information had been exposed in a data breach. For now, however, no such law exists; instead, businesses must comply with a patchwork of state laws governing breach disclosure.

Since California passed the first such law in 2002, a total of 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government organizations to notify individuals of security breaches involving Personally Identifiable Information (PII). Definitions of PII vary, but usually involve a combination of the individual’s name plus sensitive data such as their social security number (SSN), credit card number or bank personal identification numbers (PINs).

While large firms may have lawyers on tap who are experts in these laws, we wanted to gauge SMBs’ awareness of their legal obligations in the event of a breach—so we polled SMB owners and decision-makers at businesses that store customer PII. We then spoke to legal, compliance and cybersecurity experts to gain insight into these laws and learn how businesses should prepare for, and respond to, a breach.

One-Third of SMBs Not Confident They Know the Rules on Breach Disclosure

After a successful hack, cybercriminals act quickly to cash in on their ill-gotten gains.

“Most of the time, when [valuable] information leaks out of a company, it is instantly being monetized on underground forums,” says Bogdan Botezatu, senior e-threat analyst for antivirus firm Bitdefender. In these situations, he says, businesses should alert their clients and customers as quickly as possible so they can minimize the aggravation and inconvenience that results when sensitive data goes missing.

In addition to an ethical responsibility, however, most U.S. businesses storing sensitive data also have a legal responsibility to inform customers of lost PII. Thus, even if a business owner concerned about reputational damage is tempted to conceal or suppress a breach of PII—as experts believe often happened before these laws were adopted—today, this is illegal in every state but Alabama, New Mexico and South Dakota.

So, how confident are SMB owners and decision-makers that they understand the security breach notification laws of their state?

Only one-third (33 percent) of respondents are “very confident,” while 34 percent describe themselves as “moderately confident.” Another one-third, combined, are largely (19 percent) or completely (14 percent) unaware of their state’s breach disclosure requirements.

This suggests many businesses are highly likely to be caught off-guard if a breach occurs—and according to the most recent security report from Symantec, targeted attacks on SMBs accounted for 30 percent of all “spear phishing” attacks in 2013 (the most up to date figures from 2014 are still pending). In these attacks criminals craft fake emails to dupe individuals into surrendering their credentials, or into downloading malware.

Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, says that although state laws vary, they do share common features. When defining PII, the statutes “almost always” include a combination of an individual’s name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.

However, the definition of a “sensitive data element” may be broader.

“For instance, some states, such as Missouri, include various types of health information, while Nebraska’s law covers biometric data [e.g., retina or fingerprint scans],” Buchta says. “North Carolina considers an individual’s parent’s surnames prior to marriage to be sensitive, while Puerto Rico includes labor evaluations and the Wisconsin law covers DNA.”

Clearly, the laws are complicated. Jeff VanSickel, compliance lead at security consultancy SystemExperts, has conducted a comparative analysis of all 47 laws. He says he’s often surprised at which states are the most stringent in their definitions of sensitive data.

For instance, VanSickel believes that Montana has the “most rigorous” laws in the nation—there, the mere combination of name and address is defined as PII. Not a problem if you’re not based in Montana? Think again, says VanSickel: Businesses must also know the laws where their customers are located.

He uses the example of a company that is based in Florida but has clients in Hawaii to illustrate his point. If that company lost the PII of its Hawaiian customer base, then it would face legal issues in Hawaii, VanSickel says.

To read the full report on SMB Awareness of Breach Notification Laws, click here.

Defending Big Data: An SC Magazine ebook

by Stephen Lawton, editor, November 17, 2014 – Click here to download the entire ebook. (Following is an excerpt from SC magazine.)

Additional layers of identity credential access management could identify and stop a potential breach. Some enterprises, such as the NSA, are finding that migrating to the cloud aids in the protection of Big Data.

While the definition of “Big Data” tends to depend on one’s perspective of how big is big, one point is clear: Big Data has become big business and, as such, it has become a prime objective for cybercrooks, political activists and nation-states that want to get their hands on these massive databases that contain petabytes and more of detailed information on individuals, companies and government agencies.

Few organizations, if any, generate more Big Data than the National Security Agency. Similarly, few organizations are as large a target of attacks as is the NSA. While breaches of recent confidential government information have been well documented – NSA contractor Edward Snowden and Pfc. Chelsea Bradley) Manning immediately come to mind – the agency continues to redefine its defenses.

Sally Holcomb, CISO of the NSA, says the agency is now using a private cloud to apply multiple levels of analytics to Big Data in order to further protect it. Aside from installing several additional layers of physical security using a combination of tokens, locked gates around servers, and additional identity credential access management (ICAM) tools, moving to a private cloud also permits the NSA to build in additional layers of attribute-based access management unavailable to its previous databases, Holcomb says. In addition to the traditional rules that identified who could access the data, such as the nationality of the user, privileges based on job title, security clearance and the like, now the data can be protected by policies that can only be determined through a deeper analysis of both the data and the user, she says.

For example, data can be tagged to require specific training and experience of the potential user in order for them to understand how to use it. The characteristics of the potential user’s training, education, job description, current assignments and various other ascribed elements create a matrix of attributes that must match the data in order for the user to gain access. Even if the person trying to view the information has all of the requisite security clearances, training and expertise required to view the data, should the user have access? These additional layers of ICAM could identify and stop a potential breach based on either the use of stolen credentials and impersonation or by a potential insider with valid security clearance who does not have any reason to access the specific data they are trying to view, print or copy, Holcomb says.

Additionally, the NSA’s improved audit capabilities – known a data provenance – show in greater detail when and what changes are made to documents. Part of the data header from when the original document was created now includes a much more detailed record of what happens to a document that is moved to the cloud, she says, including who “touched” the document, what users did and what alterations were made to the original.

Since the Snowden breach came to light, she says, a lot of security vendors approached the NSA with products they said would “solve the problem” that led to the infamous exposure. While the various offerings might address some of the issues identified by the breach, she says, moving the data to the cloud pro-vides the most effective new security controls, including limiting physical access to data and storing it in protected locations.

But the NSA isn’t unique. Paul Hill, senior consultant at SystemExperts, a Sudbury, Mass.-based network security consulting firm, says the same issues challenge security executives across all industries. “Big Data can create big problems for a CISO,” he says. “As the hype around Big Data has grown, a number of companies have taken the approach of ‘let’s store everything’ and later worry about what subset of the data they will use for analysis.”

But not all data requires the same level of security – be it traditional, paper-based documents or Big Data – nor should all data be stored forever. “Data should be classified and labeled so that an organization can understand its data retention and destruction requirements, as well as the handling requirements,” he says. “Large data sets of unstructured data can have a lot of unexpected information in them. This may include personally identifiable information (PII), financial details, or even data that falls under the payment card industry data security standard (PCI-DSS).”

Hill offers some specific tips on how to secure Big Data:

  • Identify the types of information being gathered and the regulatory encumbrances associated with the data
  • Do not ignore incidental information that is gathered unintentionally
  • Each type of data being considered for storage should be evaluated for its risk:
    • What are the potential benefits?
    • What are the regulatory or contractual obligations inherent in storing the data?
    • How long should it be retained?
    • What are the implications if the data were disclosed during a breach?
    • Does storing the data make it a target for eDiscovery? And what will the costs be to comply?”

 

Keeping Your Business Data Safe from Holiday Hackers

by Nicole Fallon, Business News Daily Assistant Editor   |   November 13, 2014 

In the wake of the recent string of corporate data breaches, businesses are more alert than ever about cybersecurity. Right now, many of them are also gearing up for the busy holiday shopping season, which brings more opportunities for hackers to break in and steal sensitive customer data.

“For many small retailers, the holiday season is a ‘make it or break it’ time of year,” said Jonathan Gossels, president of IT security and consulting firm SystemExperts. “In addition to traditional merchandizing challenges, they now have to worry about whether their IT infrastructure is up to date and can handle the load securely.”

More and more consumers are choosing to shop online every holiday season, so businesses are under a lot of pressure to keep their transactional data safe. Gossels noted that e-retailer websites and associated back-end systems need to be up to date, compliant with the Payment Card Industry Data Security Standard (PCI-DSS) and able to handle the expected transaction volume throughout the holiday season. The key to success, of course, is being prepared long before Black Friday and Cyber Monday.

“The holiday cybershopping boom is not a surprise event,” Gossels told Business News Daily. “It happens every year at exactly the same time. Merchants of all sizes need to plan for it strategically and programmatically.”

While the 2014 holiday shopping season is practically here, there’s plenty you can do to secure your website now and begin planning for next year’s rush. Gossels shared the following tips and timeline to make sure your business’s website is ready for this busy time of year.

Right now: Freeze your production systems until the end of the year. Don’t implement any new software or technologies, and make sure your existing ones are running smoothly and properly. You should only make exceptions to address critical patches that may come out. Use the “freeze time” to begin planning enhancements for next year.

Early 2015: Plan, design and review any system enhancements, including a security architecture/compliance review.

Summer: Implement and test the whole website and back-end systems with particular emphasis on the new functionality.

Late summer/early fall: Conduct PCI compliance and security testing as a strategic framework to follow.

Before November 2015: Fix any remaining problems that have been found during the testing, address any capacity constraints, ensure that all security-related patches are in place, and train staff on acceptable use of systems and resources.

 

27 Data Security Experts Reveal The #1 Information Security Issue Most Companies Face With Cloud Computing & Storage

Digital Guardian, November 12, 2014

”What is the number one issue most companies face with cloud computing and data security, and what can they do to address the issue?”

Cloud computing is quickly becoming a mainstay for many technology companies today because of its superior flexibility, accessibility, and capacity compared to traditional online computing and storage methods. But just like traditional storage and data sharing methods, cloud computing comes with its own set of data security issues.

At Digital Guardian, our mission is to provide data security solutions and services to help businesses protect their most valuable digital assets. In doing so, we follow the top data security issues facing companies in today’s digital world and work with security experts from all around the industry. As cloud security risks grow, we wanted to compile some tips from data security experts on the most common (and avoidable) issues companies face when it comes to the cloud and securing their data. 

We’ve collected and compiled their expert advice into this comprehensive guide on safeguarding your company from cloud computing and data security issues. Click here to see the full article.

Paul Hill

Paul Hill is a Senior Consultant at SystemExperts, a security and compliance consultancy. Paul has worked as a principal project consultant at SystemsExperts for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services.

For companies purchasing cloud services, the number one priority should be…

How to evaluate the risk of using a particular vendor.

Many companies don’t have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party. Too often, if a company attempts to assess the risk, the task will get delegated to someone who will concentrate on a very narrow aspect of the service provided.

For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host. In order to properly assess the risk, companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA). These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.

The current version of ISO 27002 examines over 130 different aspects of an organization’s overall security. The CCM has similar granularity. A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers. Some cloud vendors perform an annual assessment and publish compliance information about the assessment.

However, too often these diligent practices are the exception rather than the standard practice. One area that ISO 27002 does not address is breach notifications by third party vendors. When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.

How to Prevent Insider Threats

Samuel Greengard, contributing writer for CIO Insight, October 15, 2014

Insider threats aren’t going away anytime soon. Unfortunately, most businesses say they lack the ability to detect or deter them, nor are they adequately prepared for how to respond.

Over the last few years, especially in the wake of former contractor Edward Snowden’s disclosures about the National Security Agency, cybersecurity has emerged as a huge concern for CIOs and other senior-level executives. But behind the headlines about outsiders engaging in hacks and attacks, there’s the sobering reality that many incidents center on employees and other insiders who unintentionally engage in negligent or risky behavior or intentionally set out to perpetrate financial fraud, intellectual property theft or damage systems.

It’s not a small problem. “The biggest threats, both intentionally and inadvertently, are related to the spreading of information, says Ryan LaSalle, managing director at Accenture. “Intentionally, this can mean siphoning customer details, intellectual property or insider trading. Most inadvertent threats are related to accidental leaks of project or proprietary information.”

Jonathan Gossels, president of security consulting firm Systems Experts Corporation, describes insider threats as “a problem that evolves and changes, but never goes away.” In fact, according to a recent survey of 355 security professionals conducted by mobile software firm Spectorsoft, 61 percent of respondents believe that their firm lacks the ability to deter an insider threat. Meanwhile, 59 percent admitted they do not have the ability to detect an insider threat, and 75 percent stated that they cannot detail the human behavioral activities that comprise an insider threat.

The Biggest Threats

LaSalle says the stakes with insider threats has changed over the last decade. The biggest threat used to be an employee or contract worker walking off with a laptop or using a USB drive to steal a limited amount of data. Now, insider threats revolve around stealing an entire credit card database or millions of personal records.

“Insider threats have become more sophisticated and difficult to detect,” LaSalle says. Part of the problem is that malware is now often designed to look like a legitimate user and thereby stay under the radar of IT and security workers. The result is that it’s more difficult to differentiate between a person and a piece of software using a person’s credentials. In addition, the popularity of social collaboration has made it easier to share information, leading to a rise in inadvertent threats, LaSalle says.

Frequently, experts say, organizations have systems in place to log activity, but lack the resources to audit and monitor all the online transactions. In fact, the Spectorsoft survey found that 61 percent of respondents do not believe their organization is adequately prepared to respond to insider threats. Among the most common challenges are a lack of training, insufficient budgets, a general perception that threats aren’t a priority, a lack of staffing, and technology that doesn’t match the challenge.

Assembling the right combination of technical and practical controls is paramount. Gossels says organization must focus on hiring practices and background checks; provide education and training at all levels of the organization, from entry-level clerks to the CEO; conduct detailed audits; and balance the need for surveillance and controls with the real world of people getting their work done quickly and efficiently. “One of the biggest mistakes CIOs and other executives make,” says Gossels, “is introducing security controls that are so onerous employees look for ways to bypass them through rogue applications and unauthorized processes.”

In the end, Gossels suggests using acknowledged standards, such as ISO 27002, and turning to top-notch resources, such as Carnegie Mellon University’s CyLab Research page, for the latest cybersecurity news and information. LaSalle says CIOs can mitigate risks by understanding how to identify the difference between normal and risky behavior. “Adding visibility at the application layer can help identify usage patterns and outliers,” he explains. “From there, connecting teams that understand the application with teams that know user behavior can provide a better idea of what is being seen and how this may affect the business.”