Vulnerability to Insider Compromise
Increased dependence on IT and networking in organizations brings both enhanced productivity and efficiency, but also rising parameters of vulnerability. The (now old) adage – the weakest part of a system is between the chair and the keyboard is often correct when looking malware intrusion, though can also be applied to a potential insider compromise. This can be defined as when a member of staff (or a third party contractor) over-reaches data permission for a purpose that is contrary to the interests of the company, and is carried out for either gain or malicious intent. There is one other scenario which is that of whistle-blowing – the disclosure of information by an individual to demonstrate unethical behavior in an organization (though whatever the motivation, it still amounts to a data-breach). A recent study by the SANS Institute (a private U.S cybersecurity company) confirmed that insider compromise was now a major concern of security specialists. This was not reflected well in a survey of 770 businesses: 32% had no system or policy in place to guard against this threat; about 50% had trouble gauging the possible damage of such an attack and 44% did not know what they spent on prevention in this area.
It is not human to think of a company’s staff like something from a Karl Marx critique, as merely units of productivity. In this case, however, it is necessary to regard employees in two different ways: both in a sterile way as nodes or components in a network, and as human beings complete with psychological strengths and weakness and behavioral traits. The following methods can combine to lower the threat of an insider compromise:
Physical Access Control
When an employee leaves a company it is important to remove them from access lists, and recover any access tokens they have been using. Ensure that all access is updated with this information. Access out-of-hours to a network should only be permitted if vital, as with holiday or sick-leave.
Sandboxes For Concerns
Providing a Trusted Location or a Sandbox for constructive dialogue can prevent one of the biggest threats to an organization – a disgruntled member of staff. As well as improving ethos and performance, giving employees a sterile space to air grievances without fear of sanctions will empower staff to bring awkward or difficult matters into plain view.
Least Privilege Philosophy
Like the phrase on a need-to-know basis, this process involves providing the bare minimum of access needed for efficient operating. It is just the same as applying Software Policy Restrictions to an operating system or network. The amount of access can always be increased on request, if the situation demands. In contrast, as projects finish, tighten up access no longer required and terminate accounts that are not needed.
Acceptable Use Policy
This is a good way to ensure that all members of an organization have a clear understanding of their operating parameters concerning data and information. Rather than just handing out documents to be quickly signed, there should be time spent to clarify exactly what is expected regarding Acceptable Use. In some corporate settings, this process is described as initiation, education and pledge – the signing being final confirmation. The policy is also an understanding/agreement that the organization retain the right to monitor the use of company-owned equipment.
A retro-active variation of this policy is a Compromise Agreement which comes into play at the end of employment. If a staff member has a grievance or dispute concerning the period of employment, a ‘settlement’ is made in return for the employee’s signed agreement to waive the right to any future legal action against the company or organization and usually contains a confidentiality clause that also prevents the person from discussing the agreement.
These are confidentiality clauses, usually issued by a court for reasons to protect trade secrets or more usually in safety-critical cases surrounding national security. These are similar in theory to compromise agreements though more readily enforceable. This option is the strongest mitigation tool, and the last resort.
The above suggestions are guidelines, and can be built upon. The main thing to remember is that like network security, this aspect of security should be a constant process to maintain and improve upon. Insider compromises can have a very damaging effect on a company. This is not 1984, and paranoia is a strain on the system, though when it comes to hardening an organization’s network, all vectors of attack must be considered.