Observe employees’ actions to eliminate insider threats

Recent political news has highlighted how unauthorized leaks of sensitive information can cause economic harm to a company, embarrass an individual to the point of requiring a resignation, and threaten national security.

Unauthorized leaks of information are usually enabled by individuals who had access to sensitive information and purposely used that information beyond their authorization or distributed it to unauthorized parties. These individuals are generally categorized as “insider threats.” For example, a staff accountant has access to payroll information. If that accountant is disgruntled or motivated by other reasons, you might see activity indicating he intends to post salary information on the internet or to leverage the information for gain.

Employees are not the only potential insider threats. Business partners and contractors who have access to your computer network and sensitive data are potential insider threats. Newly acquired employees from a merger and acquisition also can be potential insider threats, particularly if they are not happy about the merger and are exploring opportunities with competitors.

In the Digital Age, insider threats are particularly potent because of the amount of information we aggregate and centralize in our information systems. An insider threat can steal or destroy terabytes of data in minutes, crippling organizations.

According to a Carnegie Mellon University report, there are three primary classes of malicious activity conducted by insider threats: fraud, sabotage of information technology and intellectual property theft. Because the motivations for committing these malicious acts are varied and difficult to ascertain, businesses should establish controls to detect when information on its network is being accessed or copied without authorization, and to monitor for behavioral indicators of insider threat activity.

The U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center recommends deploying traditional cybersecurity tools including encryption, intrusion prevention, logging, alerts on large data transfers of sensitive information, and access control systems to detect and deter insider threats. However, what distinguishes insider threat detection is the need to correlate the alerts with the observed personal behavior of employees, particularly if an individual is exhibiting signs of financial or emotional vulnerability. Suspicious indicators include:

>> Working odd hours without authorization.

>> Remotely accessing the network during off hours, vacations or sick days.

>> Interest in matters not within the scope of their work.

These indicators also could be signs of an enthusiastic or dedicated employee, so it’s important for security analysts and business managers to have open communication channels. Managers must clearly outline the parameters of rules in terms of access to resources, work hours and expected behavior. Security analysts need to spend the time to understand those rules to be able to translate them into security rules they can implement in the cybersecurity tools.

Business managers and security analysts also should regularly meet to ensure alignment on when and how to report possible insider threat activity. One method to engage disgruntled employees before they conduct malicious activity is to provide them with an outlet to anonymously communicate their grievances. There are web applications that enable employees to submit their concerns anonymously. If your company invests in this type of system, it’s only effective if you address the concerns as appropriate. However, that investment is likely a fraction of the cost to deal with a loss caused by an insider threat.

There is no magical tool set that can automatically defeat insider threats. Regular communication, alignment and coordination among business managers, employees, information technology administrators and cybersecurity personnel are the best ways to address insider threat prevention and detection.

Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at michael.miranda@hawaiiantel.com.

Visit this article in the Star-Advertiser