Traditionally the malicious insider has been an individual lower down the organisation who has either been disaffected by circumstance (for example the admin who changed the passwords on a city’s IT systems and then refused to reveal what they were) or those who see the opportunity to sell interesting information for personal gain, such as mobile phone records of celebrities or bank /credit card details.
Now we know there is a now a new bunch of potential malicious insiders - executives at the top of the tree.
In a breaking story senior executives at a number of blue-chip companies have been charged with selling insider information while in effect masquerading as consultants to a market research firm. The basic problem with insiders is that they obtain the data in an official capacity which makes it very hard to spot them or stop them.
For every story that makes the news there are probably dozens that don’t, and many more organisations with no idea that such things might be occurring. In the latest case one of the executives admitted to selling the data for many years, an insidious and undetected leak of company secrets over a long period.
Data loss prevention technologies can help ensure that sensitive information remains inside the organisation but it is access control that also needs to be tightened up. In the ‘good old days’ (about 2-3 years ago), it wasn’t seen as a problem that most data within an organisation was open to most people, but times have changed. These days the pendulum is swinging back again with a view to minimising the access to only those who really need to know.
This needs to happen with the legacy data as well as newly created data moving forward; the recent WikiLeaks issue shows what happens when too many people have too much access. This is not an easy task because data classification (and re-classification) is required on a grand scale, coupled with more granular access policies and stricter auditing.
With the advent of the cloud and increasing collaboration there is now a need for the data to start ‘protecting’ itself from being accessed by the wrong individuals or systems. Do you know where your data is and who might be selling it?
In 2011, new technologies will emerge, such as fully ‘homomorphic’ encryption and the next generation of enterprise digital rights management (eDRM) which will help prevent the data falling into the wrong hands.
Technology, however, is only part of the solution; there still need to be policies, processes, education and enforcement that can be implemented today.
Guy Bunker, Jericho Forum board member