Threats from inside an organization – and from third-parties – pose a burgeoning challenge for security professionals.
Bo Zhang, a 32-year-old programmer from Queens, N.Y., worked as a contractor for the Federal Reserve Bank of New York and moonlighted with a sideline IT business. But Zhang’s plans ended when the FBI arrested the Chinese national on charges of stealing source code – used to track payment and collections made by federal agencies – from his bank job. Zhang intended to use it as a training tool for his side venture.
Zhang’s actions are typical of what have of late become a common occurrence – and a challenging security problem in today’s enterprise security architecture: the insider threat.
Eric Chiu, president and founder of HyTrust, a Mountainview, Calif.-based cloud infrastructure control company, says the risk from inside is one of the greatest security challenges for today’s CIO. According to his company’s research, 43 percent of security breaches are due to trusted insiders.
Chiu says the risk posed by insiders – or what he deems “privileged users,” which intimates that an insider is not necessarily a direct employee – are real and on the rise. “The drivers are diverse and can range from malicious intent, potential profit, accidental and socially engineered,” he says. “However, the consequences are huge, whether you are talking about theft of confidential information, financial data, such as credit cards, or someone taking down the data center of a large enterprise.”
Alan Brill, senior managing director of Kroll Advisory Solutions, based in Secaucus N.J., agrees that the definition of just who might be considered an insider has evolved. “Historically, it was easy,” he says. “Insiders were your employees, and everyone else was an outsider. But today, exactly who is an insider?”
Is it the employee on premises, he asks, or a contractor employed by an outsourced call center that’s 7,000 miles away who accesses the company’s sensitive information stored on a cloud server operated by another third-party contractor? Is it the driver of the delivery service that picks up the company’s backup media and takes it to a storage facility? Is it the programmer at a vendor who provides the analytical package the company use through a SaaS interface? “They all have some level of authorized non-public access to your data,” Brill says. “And for these people, what degree of control do you exercise? Do you know the background checks or activity monitoring that the companies you entrust with your data actually do as part of their security protocols?”
For many global enterprises, identifying and understanding the inside threat involves mapping what Brill calls the “insider ecosystem.” Until a firm recognizes that scenario, he says it does not have a good basis for assessing its risk or determining the right course of action to control the threat.
Few industries are exempt from insider threats, but some do present more risk than others. Those markets where the underlying information is an integral and key asset of the company are at greater vulnerability, says C. Kelly Bissell, principal and U.S. information and technology risk management leader at Deloitte & Touche in Atlanta. “It always depends on specific exposures and situations of the insider,” says Bissell. “Theft is rampant across all industries, but certain ones have more valuable data to steal.” Most of the valuable data sits in banking, pharmaceutical, government and high-tech manufacturing, he says.