The data security plans of many organizations are largely focused on technical measures to guard against efforts by outsiders to gain unauthorized access to the organization’s networks, computers and data. Studies and news reports continue to show, however, that the greatest risks to most organizations’ sensitive data are really internal and come from insiders – disgruntled current or former employees or contractors.
Among the key findings of a recently-released study done jointly by the U.S. Secret Service National Threat Assessment Center and the CERT Coordination Center at Carnegie Mellon University, “Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors”, were the following:
-A negative work-related event triggered most insiders’ actions
-Most of the insiders had acted out in a concerning manner in the workplace
-Remote access was used to carry out the majority of the attacks
-59 percent of insiders initiating attacks were former employees or contractors
Many employers fail to take even rudimentary steps to try to minimize these risks. Here are some suggestions:
1)Consider making sure that background checks have been done on all employees with access to key data, including nontechnical persons with access to data such as the people who transport backup tapes to offsite storage. Employers are consistently amazed at the information they learn about employees through these checks, such as criminal records, false educational achievement or job history claims, severe financial problems. Update the checks regularly (but make sure that any background checks are done consistently with applicable laws such as the Fair Credit Reporting Act, and that the potential employee relations issues associated with conducting such background checks are thoroughly thought through in advance.)
2)When employees with key technical access are having significant job performance issues or have a negative job-related event (bad evaluation, demotion, transfer, written warning) consider what steps might be taken to monitor that employee’s system access and usage to detect any unusual activity. Also, pay close attention to the employee’s general demeanor and attitude toward the organization for signs of particular anger or resentment.
3)Make sure that when employees or contractors leave, especially involuntarily, their access to key systems is shut off prior to their departure, and if at all possible, prior to them receiving notice of their termination. Also consider whether there are steps that can be taken to shore up any defensive weaknesses in the network they may be aware of which could make it easier for them to access the network after their termination.
4) Evaluate how the employee or contractor responds to the termination, and be particularly concerned if the employee makes any kind of threats. Don’t just dismiss them as the employee “blowing off steam.”
5)Many of these issues can be minimized by hiring the right people in the first place, and by dealing promptly with both those employees who clearly will not make it, and with performance concerns or issues which do arise. Although the costs and risks (legal and otherwise) of getting rid of bad hires keep going up, most employers still devote too little attention and resources to the hiring process.
Posted by Bob Blackstone