There is no doubt about it, the most common information security incidents we are asked to deal with are ones that have arisen from inside the organisation – and to be honest, internal threats are often more difficult for businesses to come to grips with. There is an unintentional sentiment, especially with management not on front line of managing risk, that if the breach occurs internally it won’t be as damaging to businesses as an external attack.
Unfortunately this is not the case – the extent of the hype, headlines and customer backlash knows no such boundaries and does not noticeably distinguish between the nature of an incident – a breach is a breach.
From our work there are three common internal information security incidents:
- Unapproved content – a frequent but less discussed incident type we encounter is one where staff are accessing content and information at work that is simply off-policy and inappropriate. On the surface what can appear to be a misdemeanour can have ricochet effects across the organisation and needs to be handled carefully.
- Accidental error – whether it’s caused by people, process or technology slip ups accidental error is when critical information ends up in the wrong place or with the wrong people causing a breach to the business’s information security. Simple mistakes that unfortunately can have serious consequences
- Intentional internal fraud – simple and straight-forward, the planned action of accessing and taking critical information from the business for malicious use.
Three very different situations: each of which is reasonably common in our experience.
What’s important is what can you do about it? Here are sensible, pragmatic steps that we recommended you consider to help reduce the risk of these types of incidents happening to your business.
Accessed denied – many channels make it hard work!
The lines between work and home have blurred considerably over the last decade and today we are used to having the flexibility of ducking in and out of work mode to quickly surf the net, have a chat or catch up with a friend – they call it “me entitlement” time!
All in all, it’s not a new phenomenon but from an information security perspective the multi-device, mobile, internet and social networking era presents a new set of challenges. The fact is that many cases we are called in to look into often involve employees accessing unauthorised content or information when at work.
Most companies today are savvy and responsible enough to have policies, procedures and filtering systems in place to help avoid such a situation arising. Commendable as it is, it simply is not enough. Companies under estimate the full ramifications of the discovery of an unauthorised access situation and in most cases are simply not equipped to deal with this when it occurs. Depending on the type of incident the, ramifications can range from a HR disciplinary action to a potential court case and legal proceedings.
However our intent is not to scaremonger – it is to realistically help companies be prepared. Here are four steps what we recommend businesses follow:-
- Educate –at the bare minimum make sure you have a thorough acceptable use policy (AUP) in place relevant to your business and that every employee is well aware of what it is and what it contains.
- Prevent – put teeth into the policy by putting in place a good content filtering solution that will police your policies around the clock. Remember that in today’s world you need to cover the myriad of channels that are open to people – from email and chat rooms to file sharing and the hidden web.
- Police – review regularly what people are accessing to ensure your policy continues to be relevant and your prevention is effective.
- Prepare – probably the most important but frequently overlooked step is to have a formal pragmatic incident response approach in place. If a situation occurs it may quickly become more than an internal HR issue and companies that can clearly show they engaged robustly by reporting, investigating and protecting assets uncovered for further investigation can positively influence how their own liability is viewed.
In truth unauthorised content access is unfortunately quite common in organisations today. It’s hard to discuss and difficult to deal with, but the consequences can be far-reaching so it must be proactively addressed.
Accidental error – can you eradicate mistakes?
In our view accidental error is probably the hardest information security threat for businesses to come to terms with. The fact is that even if nobody means harm, harm still gets done and customers are no more forgiving just because the mistake was internal.
To look at it simply accidental error falls into two main categories and here’s how we recommend you approach risk management for each:
1. System, process and technology slip-ups
It’s a common scenario – the business is rolling out a new system or process or making changes and upgrades to what’s already in place. The development work is done, user testing is complete and everyone is trained up. Go-live is in two days and someone thinks about security (or not in some cases!). There simply isn’t enough time to properly assess the risk or run a security test on the new systems or altered processes – so by default the business is left un-intentionally exposed.
It’s a frequent occurrence and one that can easily be remedied.
Our advice – based on hard earned experience – is that when it comes to any process or system change that touches the critical information assets of the company, security must be first and foremost on the agenda at every step of the way.
Coming to the party late leaves the business compromised – but forewarned is forearmed and in many cases embedding security assessments along the way alleviates risk, ultimately saving time, money and reputation.
What’s needed is a simple change to how businesses run projects – big or small – moving information security from being a last minute consideration to becoming a systemic part of project management. A simple step that will shift the dial on a company’s exposure to accidental risk.
Forewarned is forearmed so be forward thinking!
2. People and plain ordinary mistakes
Most of the time when we are called in to deal with an internal security incident that has been caused by human error, the bottom line is that the people involved simply did not know the importance of the information they were dealing with. Across the world this seems to be a common phenomenon with only 42% of staff saying they have received training in how to be secure at work.
The fact is, people don’t know what they don’t know and as a business it’s your responsibility to educate, guide and give them guard rails to work with.
It all boils down to awareness and ongoing education – if people are dealing with sensitive data, they need to know the potential consequences of simple errors.
And, in our experience it’s not just about annual training courses (but they do help!) its more about making security a day-to-day conscious feature in the work practices of those involved with sensitive data. It must live and breathe in everything that gets done and become an ethos, culture and behavioural set achieved as much by education and change management as by technology.
Getting the frontline right is fundamental.
Pre-planned and pre-mediated – sometimes it is the bad guy’s fault!
Make no bones about it – sometimes we are called upon to help deal with a straight-forward incident of someone in the business deliberately taking information that they simply are not allowed.
It happens often and it happens for many reasons. Sometimes they simply want to bring the information with them when moving company or job and other times it’s a bit more serious and the intent is to sell the information for fraudulent activities.
Regardless of the why, let’s focus on the what to do about it. In our view there are two things that are key:-
1. Do not enter – Often people steal information because they think they won’t get caught. They think they won’t get caught because they connect information security practices with something the business focuses on for compliance and audit reasons. Taking information security out of the wood work and making it a living, breathing entity in the business is like putting up warning sign for all to see. It won’t prevent every incident but it will prevent some.
2. Match make – this is one area that technology can be your friend. People have fairly clearly defined roles and responsibilities – with these comes an understanding of the systems they need, the information they use, the frequency they use it and what they do with it. What you need to do is match the person with a profile and use technology to monitor for suspicious activity such as lengthy accesses to critical data files, out-of- hours extended usage, large extracts of sensitive data – things that are slightly out of kilter with normal behaviour. Insights that will alert you to take action in time to prevent an incident occurring. Solutions that customers typically use to help achieve this include Data Loss Prevention and Security Incident and Event Management (SIEM) solutions.
So in short, based on our experience and feedback from others who research the area, internal incidents are the biggest threat to information security locally and globally.
While each type of incident requires specific actions, there is one over-arching piece of advice that will make a difference to all types of incidents. To those of you who read our insights frequently you will know it a common mantra – get the subject of information security out of the annual audit and compliance agenda and on to the daily business agenda. Making security systemic in the business will go a long way to keeping the business secure.
For more information on insider threat or any information security issue call us on (01) 642 0100
This document is for general guidance only and should not be regarded as a substitute for professional advice.