Data loss - The Insider Threat

Data loss happens, and most of it is deliberate though not malicious, Clearswift’s head of marketing strategy Kevin Bailey told a round-table session at Technology in Government 2014.

While some delegates said their organisations were using mobile device management (MDM), they noted that executive users prefer to use native apps, and one said the “executive fleet” - which tends to contain more sensitive information - was not secured because the executives do not want the restrictions imposed by MDM.

Other measures taken or being considered by delegates’ organisations to avoid data leakage include codes of conduct, requirements that all information has to be classified before sending and then treated in accordance with that classification, automatic classification based on content, and email filters designed to detect particular types of data (an easily understood example is a tax file number).

USB storage devices provide an easy way of removing bulk data. Mr Bailey mentioned an incident in Japan where an employee copied a huge number of records onto their mobile phone and then sold the data - and he then pointed out that one of his cufflinks was a USB drive and the other was a Wi-Fi dongle. “I can walk in with anything,” he said, noting that people may have malicious intent or they might only want to take ‘their’ information with them when they leave the organisation.

Delegates said there doesn’t seem to be a whole of government policy regarding this aspect of security, although some organisations do take a risk-based approach. In some cases, biometric USB drives are mandated when the data is PROTECTED, but this addresses the issue of use of lost or stolen devices, not the deliberate removal of information.

According to Mr Bailey, three-quarters of data breaches are internal, and are primarily down to “innocent insiders.” Part of the problem, according to one delegate, is that systems within that organisation are so inconvenient that people tend to work around them, providing opportunities for malicious or incremental leakage. “There’s a level of innocence,” the delegate said, observing that people don’t know that they should not be following these unauthorised practices. Another delegate agreed, citing an example where an executive was forwarding all emails to a Hotmail account.

“Is it just that someone wants to be particularly productive?” for example by working at home in the evening, wondered Mr Bailey. “Everyone’s got deadlines,” he said. Problems will occur where an organisation does not have the budget or headcount required for its mission, or in situations where somebody has to do 10 hours work in eight hours.

And where the activity is malicious, insiders - especially systems administrators - can hide their tracks to such an extent that nobody will notice unless it is a major breach, said a delegate.

On the subject of IT staff, delegates noted the importance of only allowing developers to deal with test data (not live data), and to deny developers access to systems once they have been handed over to operations. One pointed out the need to keep telling operations staff that “you can’t trust developers” - the problem is that colleagues tend to trust each other as that lubricates the ongoing working relationship. So a delegate recommended regular briefings to remind staff of the procedures and that they are there to protect employees: if the other person cannot satisfactorily explain why they are doing something, they should not be allowed to proceed. The individual might just be trying to be productive, but the risk is that the organisation is put into “a questionable state.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Have you registered yet to hear from Richard Thieme, Fran Trentley, CERT Australia, NBN Co, telstra, Women in IT security, Craig Davies and many more... No then Register your seat today not many left

Earn CPE credits and recieve the book "Mind Games"signed by the author as well on the day.