Analysis: Protecting yourself from an inside job

In an effort to safeguard corporate data, businesses must consider threats from within as much as from outside. Ron Condon looks at the best ways to rein in staff.

Viruses and worms may get all the publicity but it's the accounts clerk with a grudge who is likely to cause businesses more trouble. With legitimate access to financial systems, he or she may be able to wreak more damage to your organisation than the most sophisticated Ukrainian hacker.

Even poorly trained or demotivated staff can cause problems. By mailing out inappropriate material to suppliers or customers, they can damage their employer's reputation. And by downloading and circulating porn, they can put themselves and their employer on the wrong side of the law.

The extent of the problem is highlighted by the latest research on security threats from the DTI, a survey of 1,000 British companies conducted every two years by management consultants PWC.

According to PWC's Chris Potter, who led the research, nearly all large companies have experienced staff misusing email and the internet. This can range from excessive web surfing (one employee was spending six hours a day on a dating site) to mailing out the customer database to a rival company.

While only one per cent of companies reported financial theft or fraud, these events were among the most serious and costly incidents, in some cases running into several millions of pounds.

In addition, nine per cent of large companies had experienced a breach of confidentiality through wrong information being emailed out or being copied on to a USB memory device.

So how does any organisation get control of in-house staff?

One clue lies in the DTI research. Only 63 per cent of companies even had a stated acceptable usage policy (AUP) to lay down what staff can and cannot do - and that figure is up from 43 per cent two years ago.

If you do not lay down rules, staff have no way of knowing the boundaries. The answer lies in a clear statement from the stop.

"Companies must make strong and effective security practices part of their culture through awareness, education and accountability," says Jan Babiak, head of the information security practice at Ernst & Young. "This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk."

Policies and culture have to be backed up by technology, though. An effective identity and access management system should ensure that the person logging on is who they say they are, and that their access rights are limited by their role in the organisation.

In practice, very few companies are close to achieving this. Staff have multiple passwords to remember, and helpdesks spend time helping people re-set their passwords.

"On average, large companies have more than 75 applications, databases and systems that require authentication," says Ray Stanton, global head of BT's security business. "The average worker has to remember at least 15 user names and passwords, all with different expiry dates. Naturally, they tend to get forgotten, with the result that nearly half of all help desk calls are for password resets, costing upwards of $22 a time."

An enterprise-wide identity management system, with role-based access controls, is the ideal but so far most companies have been daunted by the scale of the task. "People have tried to do too much at once. It was like trying to eat a whole elephant in one go," says Simon Perry, head of security at Computer Associates.

In most cases, he says, companies can build on their existing directories and create a metadirectory to link them together but this has to be combined with a proper analysis of business processes.

"In the past companies have not had the budget to re-engineer their business processes but now with the need to comply with new corporate governance regulations, they are being pressured to do it," he says. "The process re-engineering needs to be done upfront. It's a bad thing to lead with the technology."

Once in place, an enterprise-wide identity management system not only reinforces security but saves money. New staff can be provided with access rights quickly, people changing roles can have new rights assigned and most importantly, leavers can have their rights ended on the day they leave.

And if users can log into all their applications with a strong two-factor authentication process - using a biometric device, a smart card or security token, for example - the problem of password re-sets goes away and helpdesk costs go down.

That is the ideal. In reality, according to the new DTI survey, 80 per cent of companies still rely on user names and password. "There is some penetration of two-factor authentication but it still not mainstream," says PWC's Chris Potter.

And according to the Burton Group, the average time between someone leaving a company and losing all their access privileges is around one year - long enough to do considerable damage.

But while this area has been largely neglected in the past, it is now pushing up the corporate agenda, forced not only by corporate governance compliance but also by the changing way we do business today.

"Companies are increasingly working with business partners, so we need a federated identity approach to allow them to operate," says Stuart Okin, head of security at Accenture. People do not want to go through endless password challenges to get to the information they need, which may sit on the partner's network.

This, and other trends such as service-oriented architectures, will force companies to adopt strong authentication alongside a more rationalised identity management approach, he says.

In the end, the best way to reduce the insider threat is to create a culture of security. As every penetration testing company knows, most people are trusting and can be tricked into parting with passwords or confidential information if not properly trained.

Ken Munro, managing director of penetration testing company Securetest, sums up the challenge: "Token and biometric-based authentication are touted as the future for identify management but as always the user is the weakest link. Tokens are lost, fingerprints are everywhere, passwords are written down and forgotten. User education is the only true solution to identity management."