High-profile breaches by cybercriminals and hackers such as those at JP Morgan Chase, eBay, Target and Home Depot serve as a timely reminder of the challenges organisations face externally to their business-critical data.
Unfortunately, while many organisations focus their attention on protecting their ‘borders’, it is from within organisations that the greatest threats are posed.
In their annual survey, ‘The Global State of Information Security Survey 2015’ PwC surveyed more than 9,700 security, IT, and business executives. They found that the total number of security incidents detected by respondents increased by 48% in 2014 compared to 2013 to 42.8 million globally.
That equates to just over 117,000 incidents per day, every day.
And it is current and former employees that are cited as the main culprits of security breaches amongst respondents. Taking financial services in isolation, current employees accounted for 44% of adverse incidents that threaten some aspect of computer security, compared to 33% in 2013.
Former employees accounted for 28% of culprits, an increase of 3% from the previous year.
Compare that to hackers. Their proportion of incidents fell from 36% to 26%.
Not only are insiders more likely to perpetrate an incident, but the costs associated with insider threats are also typically more costly than those committed by outsiders.
This is perhaps not surprising as insiders tend to have an advantage over hackers, for instance as they know where the most valuable data is kept and how to exploit holes in the technology or processes meant to protect that data.
In March this year, a disgruntled employee of the Yorkshire-based supermarket Morrisons stole the payroll details of 100,000 members of staff including their names, addresses and bank account details. Late last year, telecommunications giant, Vodafone confirmed that the personal details of two million customers had been stolen from its servers in Germany by someone with inside knowledge of its most secure internal systems.
Insider threats are, of course not always malicious. Along with insiders who might have been exploited by external parties into providing data or passwords they shouldn’t, we must also be aware of those insiders who are simply careless. They may innocently enter the wrong figure in a transaction; delete or modify important files; or choose an all too easy password to access their systems.
Insiders, particularly privileged users such as system, database and network administrators will already have access to the network and systems. With this privilege comes the ability to compromise sensitive data with relative ease.
“When you’re in positions of privileged access, like a systems administrator for these sort of intelligence community agencies, you’re exposed to a lot more information on a broader scale than the average employee.”
– Edward Snowden
What is perhaps of most concern is that insider security incidents tend to be more difficult to detect as the activity is already going on within the organisation.
This fact can have a major impact on an organisation, not least when we consider the significant fines that organisations face when an incident occurs, or if an organisation does not meet the compliance and audit requirements that apply to the industries or countries that they operate in.
PCI-DSS, Sarbanes-Oxley (SOX) and HIPAA are just three that can mean severe financial and legislative penalties for non-compliance. Next year, organisations operating in the European Union will also have to comply with the General Data Protection Regulation. This will, amongst other things, require organisations to ‘notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)’.
The regulation will also strengthen the powers of the independent national data protection authorities operating in each member country so they can fine organisations that violate EU data protection rules. They will be able to enforce penalties of up to €1 million or up to 2% of the global annual turnover of an organisation.
Throughout the UK and Europe, existing and new regulations have highlighted the need for organisations to have adequate access controls in place to protect business and customer data so that only those that are authorised to see it can do so – or alert you when unauthorised users attempt to access or change restricted information.
It is also important to have tools in place that enable organisations to track changes to key fields such as credit card numbers, sales discounts, medical records, and so on and issues alerts when PCI-DSS, SOX, HIPAA or other regulatory and business requirements have been exceeded.
When the auditors do come calling, they will no doubt ask your organisation to provide details on who has access to your systems, what authorities they have, and what have they been doing on your systems.
Most companies by now have implemented measures to deal with external threats via the network and physical access to data, but many have not yet addressed the ‘enemy within’.
For the IBM i, Raz-Lee iSecurity provides a comprehensive suite of products designed for security, compliance and auditing, building on the IBM i’s inbuilt features to provide the most secure server available together with instant notification of abnormal situations and attempted unauthorised access and, should the worst happen, the ability to quickly drill down and identify the source of data corruption/extraction.
Posted by Paul on 11th December 2014.