Those of us in the security software business spend a lot of time and effort talking about the threats that current and prospective customers should aware of, and how our products help to reduce the risks that they pose.
Occasionally, even security companies are on the wrong end of the threats we protect our customers from. This seems to be the case with Symantec, who is currently conducting an internal investigation after its customers’ credit card numbers were sold to reporters from the BBC, posing as criminals. The data appears to have been stolen by an employee in their call center.
The fact is, insider threat is real and no one is immune; not even security software vendors. Our proprietary information, processes and customer data are under siege from both sides of the firewall. We strive to stay one step ahead of the next attempted hack, virus attack or phishing scam; attempting to attack from outside the perimeter and unfortunately, we have to look inward at the people we trust to help develop, sell and support the products our businesses are built on.
The costs from an insider breach are also real. They can be measured in damage to reputation, lost business, time and labor to recover, legal costs and intellectual property, all of which translate to real dollars. A recent survey indicates that security incidents by insiders cost up to ten times more than incidents originating from outside the firewall. The number can be attributed to the fact that malicious insiders with access know where to look to do the most damage.
Industries like retail, have dealt with insider threat for decades. Known as shrinkage, product theft or loss is one of the single largest costs to a retail organization. They spend millions of dollars on anti-theft and surveillance systems to prevent the theft of physical merchandise by customers and employees.
In the world of digital information, it’s sometimes hard to imagine that our privileged and trusted users could be accessing, or even stealing, our assets. However, research shows that the opposite is true. A recent Ponemon study showed that nearly 60% of employees leaving a position steal data before they leave.
For most of us, security policies and controls have been developed. We have processes in place to manage change. We have implemented separation of duties and least privilege to prevent any one person from having too much power over the system. Employees have received security training. Shouldn’t that be enough?
In the end, it’s not enough to just put security policies and procedures in place. It must be enforced by monitoring and auditing access to configuration changes, digital assets and user activity, just as retailers have to monitor physical merchandise to guard against shrinkage. The difference is, in the world of IT assets, the insiders often know where the safe is and how to get into it.
