How Secure Is Your Data?
June 02, 2008
Executive leadership, technology, and mandatory employee training can help to plug internal data leaks.
By Kelly Shermach
Media attention to breaches of corporate databanks has spurred increased security spending to guard against external threats. Delayed in development are internal standards to stem the 50 percent to 70 percent of breaches committed by current or former employees. "Some organizations are beginning to focus on insider threats; however, it is early stages for most," says Mark Ramsey, global data analytics leader at IBM's Center for Business Optimization.
Corporations must protect themselves against internal threats by securing individual workstations, as well as enterprise systems, and by qualifying and certifying the trustworthiness of employees and providing training.
Training Without Trust
According to a study of 700 C-level executives and IT managers by the Ponemon Institute—"The Business Impact of Data Breach"—more than 85 percent of organizations have experienced a data breach. Of those, fewer than 43 percent had an incident-response plan. Uncertainty about policies and controls to prevent security failures—and how to communicate them internally—have many companies ignoring imminent threats from negligent employees, temporary workers, or contractors.
Organizations experiencing a security attack incurred costs across the board:
• 74 percent reported loss of customers.
• 59 percent faced potential litigation.
• 33 percent faced potential fines.
• 32 percent experienced a decline in share value.
"Most companies are aware that their internal security processes are weak and need an overhaul," contends Allen Nance, president of the Atlanta-based Mansell Group. "There are technologies that can help monitor a network, monitor computers, and detect potential problems. However, these will never stop an employee who is bent on compromising a system," he says. "Stopping this requires processes, training, and policies."
Processes should begin as early as the hiring process, with human resources vetting job candidates for what technology insurance underwriter Darwin Professional Underwriters calls "dishonesty exposure." HR needs be involved again when an employee departs, and may participate in staff training and security certification in the meantime.
Top-Tier Support
But the general edict for internal security needs to originate with executive leadership. "The insider threat has been around since before IT," says Dave Morrow, chief security and privacy officer for EDS, an IT applications and business processes firm based in Plano, TX. "The C-suite and internal auditors have had a lot of time to think about it."
Darwin finds that clients most successful in securing their systems from internal threats have a boardroom-level understanding of network security liability and data privacy issues, and initiate a formal policy that is disseminated to every area of the organization, including contractors and vendors. Senior leaders also enable those in charge of data protection with a budget for security measures and compliance testing.
"We have found the best technology does not necessarily make the best risk," says Adam Sills, lead underwriter at Darwin in Farmington, CT. "Encompassing policy brought in by corporate governance makes the best risk." However, in many organizations, data asset security is buried too far down to get the attention of the corner office.
Crisis management and security-related issues should include all operational function managers, Mansell says, "and the executives should be involved in the actual testing of the plan and readiness exercises."
Tech as Security Foundation
Technology can not only monitor and optionally block sensitive outbound communications; it can verify that confidential information has not been stored on widely accessible shared drives or Web servers. This granular control of end-user devices can selectively prevent copying and pasting activity or transferring highly classified information to flash drives, CD-ROMs, or other computers via e-mail.
"Start with access management," Sills recommends. This simplifies employee training. Products can take the place of policies that may seem overprotective or parental, leaving employees feeling distrusted by management.
Access management decisions should consider not only to whom information should be available but where (May employees sign in from home, for example?) and on what (Office-issued laptops? Their own hardware? Mobile devices?). It also should set rules for data storage, transfer, and handling. May employees download corporate e-mail outside of the office? What about client records? To what printers may they send files?
"Identity and access management is important for securing systems for standard hacking prevention, and is one of several sources for insider threat assessment," IBM's Ramsey says.
IBM extends the effect of access management with its Identity Risk and Investigation Solution (IRIS). Behavioral analysis of employees' data use derives from a combination of advanced analytics and visual data-mining that assesses deviations in behavior from an individual's prior activity and against similar users. Reducing risk factors reduces breaches.
Education & Effectiveness
However, technology alone will not solve all of your problems, Morrow says. That's why EDS has extensive, mandatory employee training every year. Employees, contractors, and vendors must certify completion of the program and sign off that they have read security communications. They receive video vignettes about security pushed by corporate e-mail and take part in an annual Security Awareness Week, complete with prizes for interactive data protection activities and identity theft education. "We teach employees to protect their own data, and they have greater sensitivity to protecting our data," he says.
In less formal settings, employees are presented with scenarios in which data may be at risk. "In making them think about what they're doing, we can prevent things from going bad," Morrow says.
"Security is everybody's job. Everyone has a piece of it and has responsibility for it," he continues. So breaches are handled with disciplinary action. EDS does its best to educate employees about data security to decrease human error or naivete, but circumstances and intent are taken into account when punishing perpetrators.
The company also does hundreds of audits a year—externally, internally, and in cooperation with regulators. "It's not how frequently these occur but that we work from a set of standards," Morrow says. "They talk about our weaknesses, and we address them."
"Insider threat flies under the radar so much," he continues. "Because insiders are inside, they are tougher to chase down. If they're doing something wrong, it's much harder to catch them."
As a former security investigator for the U.S. Air Force, Morrow knows of what he speaks. But EDS has its internal threats pretty well pinned down, thanks to attentive executive leadership, intelligently applied technology, and consistently communicated enterprise-wide policy that is reinforced through planned and random audits and employee training.
"High-profile incidents certainly shine a light on the issue and bring much needed attention" to organizations' need for better security policies and training, Mansell's Nance says. "However, most businesses still believe it will not happen to them."
|
RSS
