Recognizing and preventing insider activity

The following practical recommendations offer companies insight into different methods used to prevent data theft and mitigate data leakage risks:

1. Conduct regular audits of IT security risks

It is very difficult for companies to find the right balance between trusting employees and safeguarding against them. A company must secure itself against internal attacks just as effectively as it does against external intrusions by following the principles of data risk management:

• conduct an assessment of the overall infrastructure and identify all critical data assets;
• identify potential threats and vulnerabilities, i.e., create a threat model for the company;
• calculate the potential financial losses that could be caused by a data leak;
• formulate a management strategy and rapid response plan.

It’s impossible to avoid risks completely, but risks can be minimized by finding a happy medium between secure company operations and business efficiency.

2. Teach your employees data security basics

Companies should foster a culture of teaching employees the basics of data. Employees need to understand what the security policies and procedures are, why they exist, and what security measures are used on the network. Informed employees are the first line of defense against insider threats.

3. Delegate job responsibilities and data access rights

If all employees are sufficiently informed of the principles of security, and responsibilities for vital functions are distributed among employees, then the likelihood of workers colluding to steal valuable information is greatly reduced. When responsibilities and privileges concerning company information are effectively delegated, employees will work only with the documents they need to perform their duties. As many procedures as possible should be automated.

4. Introduce strict policies to manage accounts and passwords

It won’t matter that company employees are loyal and conscientious if account details on the network are compromised: a malicious insider will have everything he needs to steal data without leaving a trace.

5. Tighten security for network authentication and authorization

Users that work with important data should undergo authentication and authorization procedures when they access data assets. This can include simpler, more old-fashioned methods and more advanced methods — especially the latest anti-insider techniques.

6. Be prudent about deactivating non-existing users

Established departure procedures (i.e., blocking access to information resources) should be carefully followed when an employee leaves the company. This will prevent former employees from copying data from a hard drive, copying documents, or obtaining remote access to the company’s mail server.

7. Monitor and collect employee activity logs in real time

Trusting your employees doesn’t mean that you shouldn’t monitor the suspicious or dangerous activities at user workstations that may happen from time to time. For example, if network traffic or the number of requests to the corporate database have increased considerably, or even if the consumption of toner and paper has risen — these are signs that ought to be acknowledged and analyzed, as they may be a sign of an attack or the preparations for an attack involving confidential data.

8. Carefully monitor sys-admins and privileged users

Companies typically conduct random employee monitoring using tools such as a remote workstation, URL filtration and traffic counters. However, it’s important to remember that even someone in a position of authority could be in cahoots with scammers and steal confidential data at their request. That’s why effective protection against malicious insiders should be managed at a level higher than that of system administrators and other privileged users.

Consider the following recommendations in addition to the simple and practical advice offered above:

9. Actively protect your data assets against malicious code with good antivirus products that use both reactive (signature-based) methods and proactive technologies.
10. Protect yourself against remote attacks and hacking, preferably with a multilayer solution that covers user applications and network packets at the very least.
11. Get into the habit of using back-up copying and data restoration procedures. That way, if your data is ever compromised, you’ll be able to restore the source data.

It’s especially important to use the latest in data protection technologies:

12. Use content filtration for all outgoing network traffic: email, instant messages, browser-based email, forum postings, blogs, and other Internet activity should be checked for data leaks.
13. Set up policies that regulate actions with external, removable, and mobile devices that can be used to copy and carry confidential documents (FDD, CD/DVD RW, and card readers) that can connect using different buses (USB ports or PCMCIA slots). Policies should also be in place for wireless networks (IrDA, Bluetooth, and WiFi).
14. Check the documents being sent to the printer to prevent the theft of hard copies.
15. Scan database requests in order to pinpoint dangerous requests aimed at retrieving confidential data.
16. Encrypt critical information on block devices and laptops.