How CEOs Can Protect Their Organization From the Inside-out

BeyondTrust, June 22nd, 2012

Enterprise security is a topic that makes headlines every day. From successful hack attacks to stories of unsuspecting or malicious employees putting their company’s data at risk, it would seem that no company is immune. In order to truly secure the companies we are responsible for, it’s helpful to put ourselves in the frame of mind of our employees to give us a leg-up on how to protect our organizations from the inside-out.

According to a recent report by the Ponemon Institute titled, The Human Factor in Data Protection, employee negligence or maliciousness is the root cause of many data breaches, with more than 78 percent of respondents blaming employees for at least one data breach within their organizations over the past two years.

Looking at 2011 alone, we saw countless government and financial institutions sabotaged from the inside-out. Let’s start with perhaps the most high-profile case of all – WikiLeaks. The national security risks this posed were immeasurable, not to mention the financial resources it cost the government to respond and react to the information disclosed.

Or what about Computershare? Just days after chairman and founder, Chris Morris, said first-half earnings per share would be down 15 percent, news leaked of an alleged rogue insider at the company. A former employee, (ironically a risk management auditor for the firm) had pilfered thousands of pages of company documents after illegally siphoning them onto a USB drive and then reportedly losing it. And even more recently, solar company SunPower, made news for suing five former employees and Bay Area rival SolarCity, alleging the former employees stole “tens of thousands” of highly sensitive computer files before going to work for the competition.

What these incidents clearly illustrate is that trusted insiders can pose great threats to organizations, but little is being done to mitigate these risks. Insider threats are becoming more prevalent because of the mobility of the workforce, proliferation or mobile data-bearing devices, consumerization of IT and the use of social media in the workplace. “Trusted” employees, partners and vendors operating from inside the perimeters of our organizations can do more damage, faster, than any hacker ever could. It would serve us all well to recognize a few key risky practices employees routinely engage in that have the potential to get us on the front page of the New York Times – but not for the reason we want.

First is password management. Reusing the same password and username for multiple account logins poses a greater risk of compromise, as does the sharing of passwords with others. It’s not uncommon for outside hackers to manipulate employees into sharing password information, sometimes even going so far as to pose as a colleague, and then using that information to launch their attack.

Next are employees that don’t delete information from their computers when it’s no longer necessary to save. This becomes especially dangerous if said employee travels regularly, as lost and stolen laptops are one of the biggest risks organizations face in the fight against accidental insider threats.

And of course we can’t forget the BYOD trend of employees wanting to connect their personally owned devices to corporate networks. Whether it’s a personal cell phone or tablet, or something as simple as a generic USB drive that isn’t safeguarded, these outside devices open gaping holes in any security infrastructure. Just ask Computershare how that played out.

Is there a silver bullet to protect from these human tendencies? Unfortunately, no. However, better managed privileges, along with the judicious use of IT vulnerability management reduces not only the likelihood of attacks, but also just how far the ripple effects of attacks can travel through your organization.

The bottom line is insiders pose threats to what we choose not to defend – or fix. In order to prevent 2012 from becoming another year where insider threats are making headlines on a daily basis we as CEOs need to think like an insider, examining our corporate networks for holes where an attacker or a disgruntled employee could take advantage or a mistake could be made. At the intersection of people, processes and technology that makes up the engine of modern business, it’s human nature that is the weakest link.