Dealing with threat from within

Insider attacks are on the rise and, while they don't constitute the majority of security incidents and breaches yet, they can already prove the most costly. Hennie Moolman, Managing Director of network security expert, AfricaSD, examines the threat posed by insider attacks and what companies need to be doing to neutralise it.

Insider attacks, malicious network attacks undertaken by 'trusted' individuals with authorised access and knowledge of an organisation's systems and data, are on the rise. Although accurate information about the size of the issue here is hard to come by, recent reports from the US suggest that over 20% of the data breaches experienced by American financial and governmental institutions in 2008, together with 16% of other business breaches, were the result of insider attacks.

As is typically the case, South Africa is likely to be lagging behind the US, but it is a gap that is continually closing, and this is a trend it would be unwise to ignore. Especially since these figures are likely to actually be a great deal higher, given the amount of attacks that are not discovered or disclosed by organisations.

Insider attacks can also prove very costly. A study conducted by Forrester Research suggests that a typical data breach, such as the theft of confidential customer data, can cost a company as much as US$305 (R3 065) per missing record in legal fees, compliance fines, reputation damage and revenue lost as a result of customer churn.

Addressing the threat of insider attack should become even more of a priority for companies this year, with the tough economic conditions likely to increase the numbers of retrenched or disgruntled employees around, each one a potential mark for cyber-criminals to compromise.

There are several types of insider attacks. Some are designed to damage an organisation's productivity by crippling its core systems, but the goal of the vast majority of attacks is to steal sensitive company data. This can be the theft of confidential customer data, whether transactional, financial or contact information, or the theft of proprietary intellectual property and 'trade secrets'.

Most system-focused attacks are initiated by skilled IT workers with special access privileges, but data thefts can be perpetrated by almost any employee or trusted business partner. The most common insider threat, nonetheless, is that posed by the irresponsible or lazy employee. The worker that ignores published network security policies, installs unauthorised P2P programs on their computer, copies sensitive data onto USB devices or opens dubious Web sites and e-mails - and cyber-criminals know it too.

While neutralising the threat of insider attack isn't a simple task, organisations need to do more than draft and publish suitable security policies. They need to make sure they are equipped with the proper tools to enforce those policies, and to be capable of monitoring employee and business partner activity when necessary. If policies are not visibly enforced, they are likely to end up being disregarded.

Another important safety measure is to ensure every system connected to the network is completely visible and that each one is properly configured and constantly monitored.

Finally, perhaps the most important step to take is to ensure the centralised management of all endpoints, such as desktops, laptops and mobile devices. Organisations need to make sure they have complete control over how the devices are configured, what software is permitted to run on them (application white listing) and what updates can be installed, as well as receiving detailed, continuously updated network activity and performance information.