Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Protect Yourself from Insider Threats

In light of this summer’s barrage of viruses, it’s understandable that many small businesses regard the protection of their data from outside attack as a top priority. But while it’s encouraging to see businesses beef up their external security efforts, they may be overlooking a danger lurking closer to home: the insider threat.

According to the CERT Coordination Center of Carnegie Mellon University, an "insider intrusion" is any compromise of a network, system, or database that is committed by someone who has -- or used to have -- legitimate access to the network, system, or data. Insiders can include current and former employees, part-time employees, business partners, consultants, and contractors.

How big is the problem? The “2003 Computer Crime and Security Survey,” compiled by the Computer Security Institute and the FBI, found that 62 percent of respondents reported a security incident involving an insider, up from 57 percent in 2002. IT executives attending this summer’s Gartner IT Security Summit, meanwhile, cited insider threats from employees and trading partners as their top worries.

A variety of threats
Threats coming from inside an organization can be especially costly because the perpetrator has greater access and insight as to where sensitive and important data reside.

Inside threats can include misuse and abuse of critical and sensitive data and computing
assets. Whether it's a deliberate act of sabotage initiated by a disgruntled employee, or an innocent mistake made by a well-meaning worker who has an inappropriate level of access to a critical system, the impact caused by compromised, stolen, damaged, or deleted data can be considerable.

Internal threats may also include misuse of Internet access by employees, as well as issues that may result from employees sending and reviewing offensive materials via the Internet.

A study released this spring by Novell, Stanford University, and Hong Kong University offers the following examples of insider threats:

  • An employee at an investment bank -- now working for a competitor -- was able to access her voice mail months after she left, giving her access to all internal banking announcements.
  • An intern at a software company was able to create an account by merely calling a secretary, allowing the intern the ability to edit and download the company sales-lead database.
  • According to survey respondents, it is common to share passwords among users for even the most critical systems, such as ERP applications.

First things first
Can you truly protect yourself from threats inside the firewall? Not entirely. But you can foster a culture that reduces the reasons for employee threats. And proper controls can be put in place so that, should an incident occur, you can act in a timely fashion.

1. Create an effective security policy. While this might seem like an activity more appropriate to larger organizations, small businesses should seriously consider creating a security policy. Use it to outline your company’s information assets and all access rights to that information. Make sure all users are aware of the policy. Educate them about the risks involved in allowing others to have access to their accounts and passwords. Alert them to the dangers of “social engineering,” whereby intruders seek to gain unauthorized access to information by preying on users’ lack of suspicion. (Email purporting to be from a friend, and accompanied by an executable attachment containing a virus, is perhaps the best-known example of social engineering.) Social engineering exploits the human desire to “do the right thing,” and you need to raise all users’ awareness to these types of attacks.

2. Make sure employees get access only to the data and systems they need access to. This may sound basic, but it's not unusual for employees to have 10 to 20 times more access to resources than they need to do their jobs

If you think it’s necessary, you can restrict access by implementing specialized access control software. This can be used to limit a user’s activities associated with specific systems or files and keep records of individual users’ actions on the computer.

3. If "trusted relationships" with outside contractors call for them to access your network, make sure the access is designated only for the specific services required. It is common for users to need access to information of different levels of value. When assigning access levels, ensure that one level of protection does not expose a more valued asset.

One tactic that some companies use is to provision contract and temporary workers with network accounts that have automatic "stop dates," after which they cease to function, unless extended.

4. Establish a thorough, documented procedure for handling employee terminations. From a security point of view, the process of letting people go can be chaotic – both for those directly affected and for those left behind. A security policy that spells out what steps should be taken can allay much of the confusion.

For example, a good policy should state clearly how to disable an affected employee’s information systems access. The Novell/Stanford/Hong Kong University study cited above found that nearly half of the companies surveyed take longer than two days -- and many longer than two weeks -- to revoke the network access of terminated employees.

Make sure that controls are in place to revoke access on any employee’s last day – regardless of the reason the person has for leaving the company.

5. Enforce it. Keeping on top of security threats – whether they’re internal or external – can seem like a full-time job. Once a security policy is in place, you need a way to determine if the policy is being followed, and security violations must be evaluated to ensure no events reoccur. An effective, meaningful way to manage security goes beyond break-in statistics, and measures actual security performance against pre-determined, objective criteria.

Conclusion
It’s never easy to broach the subject of insider threats. In an ideal world, we would trust unconditionally every one of our employees. The reality, however, is that we work in an imperfect environment where threats can emanate from within our own walls. While policies and procedures are essential to confronting this problem, vigilance and determination are needed to solve it.

home find a solution library tech resources