Detecting & Deterring Insider Threats

By February 19, 2015 Data Security No Comments
What is RTO and RPO and why should I care? Part One

No one wants to be the next company to grace headlines as the protagonist of another data breach, or have to explain to customers what went wrong and why you should be trusted again. Because of the continuous hacking, you continuously tweak your IT infrastructure and look for ways to bolster data security.

But what if the bad guy is authorized to use your IT system?

A survey conducted by the U.S. Secret Service, the CERT Coordination Center and CSO Magazine (discussed here) found that among electronic crime cases where perpetrators were identified, 20% were committed by insiders.

The U.S. Department of Homeland Security defines an insider threat as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity or availability of the organization’s information or information systems.” Insider threats can include sabotage, theft, espionage, fraud, and competitive advantage “carried out through abusing access rights, theft of materials, and mishandling physical devices.”

According to a federal guide on “Combating the Insider Threat,” employee behaviors that may indicate malicious threat activity include:

  • Accesses the network remotely while on vacation, sick or at odd times.
  • Works odd hours without authorization.
  • Notable enthusiasm for overtime, weekend or unusual work schedules.
  • Unnecessarily copies material, especially proprietary or classified content.
  • Interest in matters outside of their scope of work.
  • Signs of vulnerability such as drug or alcohol abuse, financial difficulties, illegal activities, poor mental health, and so on.

Recommended deterrence methods include:

  • Requiring identification for all assets (e.g. access cards, passwords, inventory check-out)
  • Centralized logging to detect data exfiltration near insider termination.
  • Announcing the use of policies that monitor events like unusual network traffic spikes, volume of USB/mobile storage use, volume of off-hour printing activities, and inappropriate use of encryption.
  • Periodic audits to detect inappropriately granted access or access that still exists from previous job roles/functions.

You can read the full guide and its recommendations here.

Don’t miss future insights and resources! Subscribe to our newsletter for practical information for protecting your IT assets and optimizing your IT infrastructure.

About Tony Johnson

Innovative helps you balance your business requirements, service levels, staff and infrastructure to make your IT as effective as possible. Tony Johnson is Vice President of Operations at Innovative and has been helping clients optimize their IT spend and operations since 1983.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation