The growing insider threat to data security

At a dinner for some of Norway's leading chief information officers last year, one story highlighted the challenge of managing an organisation's security.

A CIO told how his chief financial officer asked him if he could use Dropbox, the cloud-based service, to share company files. The CIO said no - but the CFO did it anyway.

Knowing smiles filled the room. It was a familiar tale and the type of incident that worries those responsible for data security. If senior managers break protocol, what hope is there for an organisation with thousands of employees?

So-called insider threat ranks as the leading cyber security concern for corporates. In a survey of more than 1,800 organisations in 60 countries by EY, the professional services firm, companies said "careless or unaware employees" were their number one vulnerability.

A number of shifts underpin the threat. The way people work has changed. Smartphones and cloud-based software allow remote access to sensitive information. Companies often use contractors for core tasks, so outsiders may have access to sensitive parts of systems.

The ubiquity of personal technology also means staff expect corporate devices and software to be as easy to use as those at home. And it is almost impossible to prevent anyone finding a workaround to use their technology of choice.

Scott Weber, a managing director at Stroz Friedberg, a US consultancy that specialises in cyber security, says the focus is no longer just on outsiders. "We are seeing more and more boards and audit committees asking . . . the CIO, the CSO [chief security officer], what are we doing about the inside threat?"

One reason for urgency, says Ryan LaSalle, managing director of cyber security at Accenture, the professional services firm, is the leaks by Edward Snowden, a contractor to the National Security Agency, about its practices.

Among the concerns are sabotage by a disgruntled employee and, according to Mr LaSalle, the chance that a departing staff member could take intellectual property to another company, a particular concern at software businesses.

Despite the risks, the EY report found that 37 per cent of organisations "have no real-time insight on cyber risks necessary to combat these threats".

Nearly two-thirds do not have "well defined identity and access management programmes", meaning most lack an effective system to monitor and control access to information.

What can organisations do? For a start, they need to adopt a multidisciplinary approach. This means setting up a number of data streams to monitor behaviour as a single incident may not reveal anything substantial.

With these in place, Mr LaSalle says, there are four steps to managing insider risk. First, limit exposure with bring-your-own-devices policies. "BYOD is great for driving productivity [but] you need to get the right balance and limit access to those who really need it."

Second, senior executives need to ensure that team leaders drive change through an organisation. Next, develop a benchmark of acceptable technology use. This makes it possible to identify what types of behaviour "stick out".

Finally, "game the system" by trying to wrongfoot the bad apples. Some of Mr LaSalle's clients, for example, deploy "decoy documents . . . stuff that looks juicy".

Mr Weber adds that tools are needed to interpret the data. A single event is usually not enough to certify a breach. By analysing several data points over time, patterns are more likely to emerge.

There must also be the understanding that threats evolve constantly and organisations must adapt quickly.

As Ken Allan, global cyber security leader at EY, says: "By putting the building blocks in place and ensuring that the programme is able to adapt to change, companies can start to get ahead of cyber crime, adding capabilities before they are needed and preparing for threats before they arise."

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation