This is the last of a four-part series on information security threats legal and IT professionals face. In the previous articles, we introduced the issue of information security, and discussed the first two of three common threats: social engineering and the human element and technological exploits. We wrap up this series with the final security threat—the insider.
While the former threats were based on technology or a hybrid technology and human element, the insider threat is most often purely human. Motives for insider information security breaches are many in number and diverse in nature. Even the simplest action of an employee holding a door open for someone coming into the building might be a breach. Information security auditors will almost always test physical breach capability. Beyond that obvious passive example, employees may have motivation to cause harm to the organization. They may be disgruntled, feel unfairly treated, or seek retribution or revenge. They may even be preparing to make a splash at their new employer, which happens to be your biggest competitor. In any event, it’s often very easy for an employee to exfiltrate data from your organization to fulfill their motives.
Typical methods of exfiltration are USB devices, cloud data syncing services like DropBox, self-emailing files to personal addresses, burning optical discs, and even printing. In all of these instances, the employee is using technology to actually perform the theft or leak. However, their employment is what is granting them the access needed to carry out their activities. Unfortunately, many insider leaks and breaches are discovered after the event has occurred. This leaves a likely expensive investigation and potential litigation.
Mitigation of employee leaks and breaches can take many forms. There are technological measures that can be put in place to limit use of USB devices and cloud services. Even personal email account access can be blocked, and optical disc burning can be disabled. Enabling an employee to have access to data how, when, and at any time they want helps productivity.
From this operational perspective, a company should be aware that limiting use of normal computer operations may hamper productivity. So, it is always important to consider replacing those risky operations with ones in which corporate IT has more control over, like enterprise document management and file sharing. Rather than DropBox or allowing USB devices, build out a corporate system that allows file sharing, syncing, and collaboration. The difference between the two is subtle but critical… in the latter instance, your organization controls the system and can setup logging, tracking, and usage pattern history that will help discover, prevent, and respond to breaches or leaks much quicker and with a defined investigatory scope.
As a corporate attorney, you should consider requiring employees sign acceptable use policies and understand the ramifications of data theft or leaks on the health of the company and themselves. While these policies are nice, policy without practice is meaningless. Once again, suggest that employees be trained on the corporate information governance and security policies and be tested to ensure they understand and appreciate that without diligence and proactive measures to the contrary, they can become the weakest link in the information security chain.
As corporate counsel, you are in a position to educate the corporate officers on the need to take information security seriously. From both legal and technical areas, there is no shortage of risk, and mitigation is key to corporate survival in the face of growing threats. Don’t become one of the companies featured on the evening news as having lost millions of patient or customer records. Don’t be the one answering Federal inquiries about the lack of information security controls in your organization. It’s time to embrace the idea that information security is paramount to your organization’s health and ability to compete and grow in the marketplace.