Rogue Employees CDW Sept 2005

Managing the People Threat
Protecting your business from insiders is smart business

by Keith Chval

Virtually every piece of data worth stealing is stored electronically. As a result, employers must balance access to information with their responsibility to protect those assets from misuse. While it is difficult to protect electronic assets against the actions of determined insiders, a few common-sense proactive measures can reduce the risk that rogue insiders will be able to compromise your data. At the same time, you can position your enterprise to quickly and effectively respond should such an insider manage to access your data.

Keys to the Kingdom

Insiders pose the second greatest threat to cyber security, according to the 2004 E- Crime Watch Study, conducted by CSO magazine, the U.S. Secret Service and the CERT Coordination Center at Carnegie Mellon University. Among cyber security experts who responded, 37 percent said hackers posed the greatest threat, followed closely by 29 percent who saw insiders as posing the greatest threat.

Let's start by defining what we mean by an insider. An insider is an individual who enjoys a trusted status with your enterprise-a former employee, a current employee, a contractor, a customer or even a vendor acting on motives that are inconsistent with the best interests of your enterprise. The potential motives are many. Yet, regardless of motive, the end result is that a rogue insider is committing acts that jeopardize the livelihoods of you and the other stakeholders of your enterprise.

This is especially true of an information-intensive business. It's not difficult to imagine the enormous damage to your enterprise if your customer list disappeared, your competitors received a copy of your marketing plan, all your files disappeared or you had to scramble to rebuild your network.

In every case, the impact of all these things can be exponentially greater than simple lost productivity. In most of these cases, the damage would be hard to calculate. Damage to your reputation, lost revenue and lost opportunities don't even begin to describe the mess a rogue insider can make.

Because of their trusted status, insiders literally hold the keys to the company kingdom. For management, the idea that a single person can access and control the entire network from a corner Starbucks anywhere in the world should be a source of great concern.

The first step of the process to protect yourself from the damage that can be caused by a rogue insider is to identify your key informational assets, and then systematically determine who needs to have access to that information and for what purposes. With this information, you would begin developing and implementing policies and procedures to provide the necessary access to that information and the related systems.

Minimize the Human Risk

Many business owners hire new employees and contractors, and assume that these individuals only have the best of intentions and are of the highest character. It is important to hedge your positive assumptions, with the right technology and the right processes.

Scott Nelson, president of Employee Management Services, an HR outsourcing company located in Burr Ridge, Ill., believes protecting your business from internal threats begins with common sense. "Write your Acceptable Use Policy (AUP) down, make sure everyone knows about it and understands it. An AUP is an agreement between the business and its employees that outlines the terms of Internet and technology resource usage and acceptable rules of behavior. Then enforce it with an even hand," he advises.

In addition, eliminate the expectation of privacy. Let employees know that you are watching and monitoring what they send and view. Content filtering, e-mail archiving and even simple reviews of Internet history can be very useful. Try to understand what parts of your business are more valuable than others-work to protect those assets with a combination of process and technology.

Instituting effective employee due diligence procedures can also provide your enterprise with an important layer of security. By protecting your valuable information (assets) and technology with strong hiring policy and processes, you address both internal and external threats. In the same way your firewall protects you from threats from outside traffic, an effective employment candidate due diligence process, coupled with periodic post-hire updates, can provide protection from threats posed by rogue insiders.

Mark J. Neuberger, a partner in the Miami office of Buchanan Ingersoll PC, goes even further by suggesting that IT professionals and contractors be interviewed and hired differently than other employees. "This means their backgrounds are subject to greater scrutiny when recruiting and selecting," he says.

Extra level of Vigilance

When recruiting IT staff, a heightened level of background and reference checking should become standard operating procedure. An important consideration in enhancing the due diligence of your recruiting process is determining who will conduct the checks. Avoid the temptation to assign this critical responsibility to your headhunter. A conflict of interest exists when the person compensated for the placement is assigned responsibility for finding reasons not to hire the candidate.

Neuberger advises that once hired, IT employees' activities and performance be subject to greater degree of vigilance and scrutiny. "There is nothing illegal with,this kind of differential treatment so long as the employee understands what is expected and what will happen if their performance does not conform to these higher standards.

IT staff should be monitored and reviewed on a regular basis. Management should maintain a basic understanding of security processes and should consider a regular security audit conducted by an objective third party. This process will show what is on your system, how it is being used and who is using it. Outside objective help may be needed to perform the audit and to insure that all security issues are addressed. Audits reveal the latest vulnerabilities within your network provide critical checks and balances and often provide remediation guidance.

In addition, identify and watch for the development of "situational precursors" that can often foretell future misconduct by an insider. Most people don't set out to lead a life of crime or otherwise act in a way that is dishonorable. Typically, this behavior arises when an individual sees no acceptable way out of an unanticipated situation. Examples include financial difficulties, marital problems or a brush with the law. The trigger may also be an employment-related issue, or simply something as mundane as a close associate who leaves the enterprise and entices the insider to join him or her.

Termination Considerations

Terminations should rarely be an unplanned-for event. A termination usually comes as a surprise to no one, often foretold by one or more of the precursor events or circumstances mentioned above. Similarly, it's most likely not news to anyone that a termination, and the period leading up to it, is one of the most frequent periods of employee misconduct.

To protect your enterprise's digital jewels, you must have in place-and consistently execute-policies and procedures designed to minimize the risk associated with the termination of employment relationships. Naturally, these policies and procedures should be tailored to reflect the varying responsibilities and sensitivities associated with different job functions within your organization.

Perhaps the highest degree of security should be employed when the individual facing termination is part of the IT staff. The termination process should include measures to ensure that, once terminated, an employee no longer has access to enterprise resources.

The terminated employee's passwords and access codes should be terminated simultaneous to the employee being informed of the termination. This will require close coordination to ensure that a delayed termination meeting doesn't result in unintended advance notice through premature access denial. A rogue insider tipped off to his imminent demise may take that opportunity to quickly destroy or leak critical enterprise assets prior to the delayed termination ultimately taking place.

Similarly, make sure that necessary personnel, including vendors and contractors, have been informed that the employee is now a former employee and is no longer entitled access to organizational resources and information. This can be done in a sensitive way to avoid undue embarrassment to anyone.

Wrapping It Up

The risks posed by the vulnerabilities inherent in your technologies cannot be ignored by any enterprise. Fortunately, there are realistic, cost-effective steps that enterprises of all sizes can implement that can allow them to continue leveraging technology while mitigating the risks. Effective policies and procedures for managing the insider risk is one such area ripe for attention.

While much of this discussion has focused on an employer / employee relationship in an IT department, many of the principles discussed have application to other operational areas within the enterprise, as well as to insiders other than employees, as defined earlier. Due diligence, vigilance for precursor situations and management of the relationship termination process should be applied equally to all insiders.

In managing the insider risk to your enterprise's informational assets, by hoping for the best and preparing for the inevitable, you can avoid the worst, and in the process, add value for yourself, your enterprise and its stakeholders.