An Inside Job: Employee Espionage and Negligence

By Dan Ingouf

Electronic information theft has been on the rise for some time. Whether the theft is focused on healthcare facilities, major department stores, banks, or even hardware stores (does a recent Home Depot e-payment theft come to mind?); the fact remains that in our digital society, electronic information can be, and far too often is, compromised.

While black hat hackers gain notoriety from infiltrating “mega” large organizations, there are a steady barrage of thefts and other losses of digital data happening in any type and size of organization. To make matters worse, employees of the organization can be the cause of those losses. While there are many reasons people cite for stealing from an organization, opportunity is near the top of the list. The fact remains that the less that people are watching and aware, the wider the accesses given, the more theft and damage can happen.

It is important to understand that security threats are not always caused by sinister and malicious actions. Sometimes the actions are nothing more than insider negligence or employees whose devices are compromised by a cyber attack. Recognizing the source of the threat to organizational data is instrumental to diagnosing the correct problem and applying the various solutions accordingly.

Also, a careless or rogue employee can be at any level in the organization; for this reason, regular training and security measures must be incorporated that cover the full spectrum of organizational employees including any vendors that have access to organizational systems.

Employees as the Source

Negligence can be as simple as an employee losing their laptop or other mobile device during transit on public transportation, without device protections such as encryption and multifactor authentication. The possibility of severe damage is real; the device and all organizational information, no matter how sensitive, must now be considered in the hands of someone else.

Another example of employee negligence is when testing and development databases, whether in the cloud or on an organizational server with low security, is populated with real customer data instead of a fictitious database. Proliferation of data outside of protected databases creates vulnerabilities, exacerbating the risk of inappropriate access.

Even if the physical mobile device is never lost, the device can be compromised via a cyber attack. Attacks such as these often target employee credentials in order to gain entrance to computer systems where they can trawl for organizational data worth stealing. These invasions are commonly introduced through hacking or phishing attempts. It is now commonplace for phishers to gain information by means of social media websites and other sources of personal data. With this data, phishing attempts have become much more directed and personal and are known as “spear phishing.” The most common attack vector is through an email that appears to be from a known individual or business. This type of phishing attempt can and will catch the unaware person.

Of course, no organization wants to believe that they have employees who are ticking time bombs just waiting for the right opportunity. However, it is the organization’s responsibility to build a security program that includes vigilance and ongoing training to lessen the occurrences of malicious activities as well as negligence or acts of ignorance.

Conduct Employee Training

Effective employee training should make it easier for employees to take correct actions, reducing security problems due to ignorance or negligence. Awareness can also have a positive impact on other insider security threats, increasing the number of knowledgably observant people in the workplace. Security training programs offer guidance on how to avoid problems while getting what they need from their devices. They should also educate on behaviors to watch for and the types of attacks to which they are susceptible.

Training provided on a regular basis is important as it tends to keep the information part of their everyday thought processes in order to defeat attacks such as from “spear phishers” by heightening employee awareness about what to look for and be aware of.

Relating the training directly to their work can increase the effectiveness of the training. While it is true that not all employees respond adequately to training, most employees do embrace learning that betters their work experience. As a strategy for gaining mind share, some organizations add personal security updates and exercises to regularly scheduled training which increases the value of the overall training to the individual participants.

Despite the training, it is unlikely that most insider threats will be discovered ahead of time. Therefore, it is important to add response actions into the training to limit the amount of damage and to make it easier to repair damages post-incident.

As risk management states, there is no way for an organization to close every opportunity for an employee to share data with outside entities if the employee is truly driven to do so. Ongoing training allows employees to be honest and aware, and is proven to be an effective method for reducing security related risks, especially when each employee must sign that they received and understood the training.

In addition to training on secure actions and those that are not secure, organizations need to build a solid foundation of organizational policies to direct employee behavior and then incorporate those policies into the training. Those policies also guide the development of procedures that are designed to reduce the vulnerability of the organization.
Detailed Security Policies a Must
To reduce internal risks, organizations are investing time and resources in classifying the data and documents across the organization and then aligning access rights to those who need access to perform their duties. A posting by Amanuel Tsighe of File Open Systems identifies a series of weaknesses in the management of access that can be turned into actions and, in the best of cases, into policies that are enforceable.

Consider the following actions to combat access weaknesses and reduce vulnerability while still empowering employees as needed:

  • Identify the security level of data and documents then institute and enforce a “need to know” policy
  • Create an individual’s access to sensitive data based on the need to know
  • Have a process for revoking access over time, as responsibilities change, immediately, etc. such as would be offered in a digital rights management solution (DRM)
  • Centralize sensitive data and documents and the “organizational vault” paradigm, perhaps even to discrete portions of the data or documents
  • Create and educate on a process to request access to data or documents that requires a validated reason for access
  • Restrict what devices can be used by an individual to access specific data such as limiting what can be accessed via a mobile device
  • Eliminate special privileges such as executive status or “super-user” status so that access is granted based on justification across the board
  • For highly sensitive data and documents institute a two-person rule to thwart lone wolf behavior
  • Conduct a thorough background check before a system administrator is granted overall access
  • Implement a data and document monitoring process, tracking the number of times the data/document was opened, who opened the data/document, the location of access, etc. Exceptions to normal behavior can be used to trigger alerts. This activity is most likely part of the security team’s set of solutions
  • Prioritize detection of infiltrations that may lead to a breach
  • Develop processes to preserve information about employee and ex-employee access rights as a means of researching leaked trade secrets

These actions highlight the strength that data and document tracking offers as a means of limiting the actions of rogue employees, negligent employees as well as former employees whose access was not terminated promptly. One of the actions recommends the elimination of special privileges and enforcing the need to know access privileges across the organization. As seen in the File Open Systems article previously cited, a Data Protection Trends Research study conducted in 2013 shows that 24% of respondents reported making privilege exceptions for executives, so unless this change in policy has been made, it is likely that this vulnerability to the most sensitive of information still exists at a significant number of organizations.

Any of the above actions that have the executive support to become policy strengthens the defenses of the organization.

Despite the media attention to cybersecurity and outside threats, organizations have to be equally concerned with internal information security threats. Just like external threats, internal threats can never be completed eliminated, but clearly defined structure such as policies and well-educated employees can greatly reduce the accidental and negligent types of data loss. The time and resources invested in access privilege control also reduces the risk of inappropriate access from malicious employees or ex-employees. Controls on access also make it more difficult for outsiders to hack in and steal credentials that offer the proverbial “keys to the kingdom.”

About the Author

Dan Ingouf is the Content Development Specialist for IAITAM.