By William Afrifah, Senior Cyber Security Consultant, Auriga
What do you do when an insider walks off with the data that forms the very foundations of your company? That was the unenviable dilemma facing analytics firm, Hitsniffer, this week when one of its programmers took the customer databases with him when he left. The theft tallies with the latest Computing survey which revealed that the sales and marketing is second only to finance when it comes to data being at risk from rogue insiders.
The insider threat is an old problem and the Hitsniffer incident goes to show it’s a complex issue. The company was a small one and there’s every chance the ex-employee either helped found or establish the company as he had been there since its inception. No doubt he felt he was entitled to take the data making the dispute a legal one as well as a technological one.
So what could Hitsniffer have done differently? First of all, it’s important to look at your hiring and firing process. Ensure legal contracts include clauses on data handling, retention and destruction. When recruiting, new personnel need to be made aware of these terms and conditions and be given training on data use.
Similarly, when employees are given notice, processes should kick in that ensure the speedy revocation of access. In the same Computing survey, 63 percent of respondents cited mobile use and lack of BYOD policy enforcement as a cause of insider theft, so the business also needs to look at how mobile access will be rescinded.
For other employees ensure that training is regularly revised and that it is engaging. Look at gamification, challenges, and mock scenarios to liven these up. And maintain a good internal security policy that is transparent, properly communicated and easily accessible to all employees.
Ensure access privileges are commensurate with the job role so that data is accessed on a need-to-know basis; the more restrictions there are the smaller the attack surface. And make sure authentication is robust by using multi- or two-factor authentication, biometrics, or physical keys. All security approaches have their strengths but each is more powerful in conjunction with others.
When it comes to implementing the policy, seek buy-in on the Insider Threat Programme. Involve the board and make Senior Managers part of the user education process as well as tasking them with implementing and enforcing policy. But don’t rest on your laurels. The policy should be revised and updated as you go along and can evolve with what you learn too.
In addition to policy and process it’s also possible to use technical controls to protect data. Highly sophisticated advance threat detection technology such as a SOC-as-a-Service can detect malicious network behaviours. For instance, the transfer of large amounts of data which happened in the Hitsniffer incident (data which would have been classified as sensitive) would have triggered an alert even though the individual concerned had legitimate access to said data.
One of the problems facing Hitsniffer was that is was a small company, with each user having access to highly privileged information. But the size of a company should not dictate its security provisioning. Using outsourced security tools can provide the business with access to the best tools available at a fraction of the cost and this, combined with a security-conscious business culture, can prevent these kind of data losses.