April 29, 2009, 9:35 AM — The insider threat has always existed, but in an era of economic upheaval and uncertainty, the problem is only magnified. That point came across in a recent Ponemon Institute survey of 945 individuals who were laid off, fired or quit their jobs during the last year, with 59% admitting to stealing company data and 67% using their former company's confidential information to leverage a new job.
How far should information technology managers go to protect corporate data?
"There's a balance," says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics, in Long Beach, Calif. "I wouldn't want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute."
At the same time, Pioneer is determined to protect its intellectual property, customer service lists and other sensitive data.
"I don't want a disgruntled employee trying to take a bunch of information," Reissmueller says. That's a main reason the firm has installed network-access control gear to monitor traffic to the "crown jewels," to keep an eye on whether employees are trying to overstep their authority.
Using a ConSentry switch and network-access control product, Pioneer will watch for patterns that might reveal wrongful behavior and block it. "But I don't want my security staff to become Big Brother," Reismueller says.
All it takes is a data leakage case to compel organizations to beef up their monitoring.
The University of Arizona went through a few data-leak imbroglios where it had to make public notification about exposed personal data, says Eric Case, information security officer there.
That induced the university's information and security office to kick off a program that involved making sure that faculty staff there weren't leaving sensitive data lost and forgotten in computers.
To determine that, the university has deployed data-leak prevention freeware called Spider that can go out and look into a targeted machine to see if it's holding data that shouldn't be there in order to either delete it or move it to a more secure server. Although the security staff did explain in depth what it was up to, "we had a couple of people freaked out because we were looking at their files," Case says, speaking about the topic at the recent Infosec World conference in Orlando. "They were upset."
But after calming people down, the data-leak prevention process had to proceed because "we know we have data all over the place," Case says. "Have we reduced our threat surface? Quite a lot."
Rick Haverty, director of IS infrastructure at the University of Rochester Medical Center in New York, says laws and regulations his organization must abide by regarding patient healthcare information leave no choice but to confront instances in which it appears employees may have broken rules. One concern is an employee taking a sneak peek at someone's medical records without cause.
"People have been fired for this," he notes, adding that the start of an investigation usually involves a complaint about someone gossiping about a patient's medical circumstances. An investigation would generally involve examining log records to determine whether inappropriate access to records may have occurred.
Gartner analyst John Pescatore says the key word to think about is how "closely" to monitor employees.
"There is definitely a requirement to monitor critical business data leakage from employees, and a requirement to monitor what comes into their PCs to prevent malware," Pescatore says. "However, in the real world, there is less of a need to monitor every action a user takes, block them from every Web site that is not work-related, or try to keep them from using their work PC for anything but work, or keep them from using their home PC for work."
The trend toward work/home mixing is underway, and "security can't stop this any more than it could stop the Internet, wireless LANs or other previous trends," he points out.
