[BreachExchange] A Facebook Engineer Stalked Female Users. A Dentist's Receptionist Stole Patients' Identities. Here's How to Prevent These Things From Happening at Your Company.

Destry Winant destry at riskbasedsecurity.com
Wed May 30 22:15:07 EDT 2018


A major risk to businesses is one that they often overlook -- rogue
employees, also known as the "insider threat."

While many companies today are devoting more resources to preventing
hackers from stealing sensitive information, rogue employees can pose
a far more serious risk because they have inside access to company
secrets, clients and technologies, and they are often not sufficiently
monitored. According to the Ponemon Institute, the cost of an
insider-related incident is actually higher than a data breach caused
by an outside hacker - $4.3 million per incident versus $3.62 million,
respectively, and these costs could exceed $8 million over a 12-month

Insider threats are also on the rise. A 2018 report by the Ponemon
Institute found that malicious insider incidents have grown by 56
percent since 2016.

A quick scan of the news on any given week will show how prevalent
these cases are. For instance, in a recent case at Facebook, a
security engineer was accused of abusing his privileged access to
stalk women online. In January, a Chinese company was found guilty of
using an AMSC employee to steal $800 million worth of intellectual
property from that company. In April, a former Manhattan dental office
receptionist was convicted of stealing the identities of over 650
patients. And the list goes on and on.

Yet, in spite of the risks, many companies remain unprepared. Nearly
one-third of companies admit they have no ability to prevent or deter
an insider attack, and only 9 percent consider their insider
prevention measures to be effective, according to a 2015 study by the
SANS Institute.

Preventing this type of abuse isn't easy, but it can be done.

Here are four ways to manage the risk posed by trusted insiders.

Access controls

The key to reducing a company's exposure to insider threats is by
creating strong "access controls" that prevent how much data a single
employee is able to freely access in the first place.

No single employee should have unfettered access to all of the
company's secrets -- rather, sensitive data should be siloed, and
employee access should be decided on a case by case basis, determined
by the employee's need to access such data in order to fulfill her
duties. For example, a sales manager does not need access to the
company's intellectual property, and an IT administrator does not need
access to the company's client roster. The separate roles within a
company should also be separated by the level of data access they

Technical controls

In addition to establishing policy controls on data access, a company
should also have in place strong technical controls that prevent
over-access or abuse by insiders.

These controls should include: encrypting highly sensitive data, so
that only specific people can access it; blocking or restricting
certain types of tools and websites from employee devices, such as
Tor, file transfer protocol (FTP) services, etc.; restricting the use
of remote logins to the company's network; resetting passwords
immediately for any terminated employee; and requiring regular
password resets for all employee accounts in order to reduce the
likelihood of learned or shared passwords.

Mobile device management

This is another crucial step, particularly in today's highly mobile
and bring-your-own-device business world. A mobile device management
(MDM) service enables a company to monitor the content on both
company-owned and personally owned devices, as well as to containerize
company data and allow for remote wiping if needed.


There are many different tools available for keeping an eye on
employees, ranging from all-inclusive Big Brother-style technologies
that monitor all employee activity on devices (such as email, social
media, web browsing, etc.) to more focused tools like exfiltration
monitoring, which only look for files being transmitted from the
company network to a remote IP address.

However, it's important for companies to not be too heavy-handed with
employee monitoring, or it could backfire. If employees feel they
aren't trusted or valued by the company, they could act out -- the
exact thing the company is trying to avoid in the first place.

It is best to take a more moderate approach with monitoring, by
focusing on what really matters. Exfiltration monitoring, file access
monitoring (who is accessing important files, and when and where) and
email monitoring are three good steps to take.

While there is no way to completely eliminate the insider threat, by
taking a few key steps, companies can drastically lower their risk and
keep employees in check. For more on this issue, see the FBI's tip
sheet on averting the insider threat.

More information about the BreachExchange mailing list