Protecting Company Data From Disgruntled Employees

Most information security courses have a long list of threats that threaten our computer networks. These threats attack networks on a daily basis ranging from phishing scams, to viruses, to malware all of which are indeed worth studying but there is one threat that has the potential to be even more dangerous than the most vicious virus code ever developed.

That devious threat is called an employee, specifically 'insiders'. While employees who don't follow policy is definitely a risk to the company an insider is a certain danger to a business. An insider is an employee who has crossed over to the dark side sort of speak. They have taken it upon themselves to wreak havoc upon their company usually for their own personal gain -- whether financial or just to "stick it to the man." One thing is for sure they're at the top of a security professionals list of headaches. What makes them such a high level threat is their positioning.

They reside where hackers wish they could be, and have access to areas hackers wish they could go. They are within the company's facility and behind the firewall. In some circumstances and depending on the company they have physical access to areas that in the right (or in this case, the wrong) hands could bring a company to its knees. Consider this, a hacker's main obstacle is figuring out how to circumvent a company's network security. Once they accomplish that task everything else is downhill from there, so you can see just imagine how critical it could be to have an insider who's already passed that obstacle and has access to the network lurking around the business.

Now that we know what they are and where they reside, now it's time to find out why they are insiders. If insiders are employees who has gone bad, what exactly makes an employee an insider? One word -- intent! An employee's intentions are really the determining factor for the type of employee they are. Most employees have a sense of loyalty to their company and show up to work everyday to help the company move forward by doing their job. The insider doesn't share the same loyalty to the company their actions actually harm the company.

The theft of Coca-Cola's Inc's trade secrets shows exactly how serious the threat of an insider attack on a business can be. In 2006 the FBI arrested three people for stealing and attempting to sell Coca-Cola Inc. trade secrets for $1.5 million to PepsiCo Inc. Fortunately PepsiCo worked with Coca-Cola to apprehend the criminals but could you imagine if PepsiCo would have bought the trade secrets? Keep in mind the two soft drink giants have had a fierce rivalry for decades and possessing those trade secrets could have given PepsiCo a huge advantage over Coca-Cola.

Insiders can range from spies involved in corporate espionage to hackers working for a company, to employees that are angry at their company. Sometimes it's because of specific policies they don't agree with, or a particular manager or simply because they felt the company has done them wrong in some way. They use the anger as motivation for damaging the company. So the question is how can companies protect their data from being used maliciously by disgruntled employees?

Microsoft has put together a brief list of basic ways to protect sensitive documents that's worth taking a look at. Aside from those suggestions, companies need to get back to the basics of fundamental security:

• Policy enforcement- policies are or should be in place but they are only effective if they are being enforced. 
• Limited physical & logic access- many SMBs don't limit access to data or physical areas like the wiring closet, or server room where anyone can access servers or data freely. Access should be limited to only authorized personnel.
• Monitor employees- some companies have a policy that when an employee is fired they are escorted out the building and their belongings are brought to them by a member of security which is a good policy; however, companies forget that people talk and discussions about who is going to get fired is among many of the water cooler topics. So many times people know in advance about their termination which means they have time to wreak havoc. So a good practice to use would be to monitor the employee's system, online whereabouts, etc., when word is received that they will be fired.
• Deactivate or delete immediately- When an employee is fired a best practice is to deactivate their company accounts immediately. I'm aware of a situation where a person was fired but had access to the company email system and network for weeks. The individual was able to access account information and sabotage the company's main client account via the same account that should have been deactivated.

The bottom line is that humans are dynamic creatures capable of achieving goals using unorthodox methods so in regards to security, a static system of catching rogue employees won't always work. Companies need to stay one step ahead of insiders by using employees as the first line of defense. To do this companies need to support a culture where employees freely come forward and anonymously report the suspicious activities of other employees. This can provide security personnel with a heads up before disaster has a chance to strike.

@ITSecPr0