.

anaoln tneProtectingyourbusinessfrominsidersissmartbusiness

e tnreaby Keith Chval,principalwithProtekInternational,acomputerforensics,litigationsupportandinvestigationsfirm,andamemberof thelawfirmofConnolly.Ekl& WilliamsPc. bothChicago-suburbanbased

Virtually every piece of data worth stealing is stored electronically.As a result, employers must balance access to information withtheir responsibility to protect those assets from misuse.

While it is difficult to protect electronic assets against the actionsof determined insiders, a few common-sense proactive measurescan reduce the risk that rogue insiders will be able to compromiseyour data. At the same time, you can position your enterprise toquickly and effectively respond should such an insider manage toaccess your data.

Keys to the KingdomInsiders pose the second greatest threat to cybersecurity,according to the 2004 E-Crime Watch Study, conducted byCSO magazine, the U.S. Secret Service and the CERTCoordination Center at Carnegie Mellon University. Amongcybersecurity experts who responded, 37 percent said hackersposed the greatest threat, followed closely by 29 percentwho saw insiders as posing the greatest threat.

TECHOutiook~

Let's start by defining what we mean by an insider. Aninsider is an individual who enjoys a trusted status withyour enterprise-a former employee, a current employee,a contractor, a customer or even a vendor acting on motivesthat are inconsistent with the best interests of your enterprise.The potential motives are many. Yet, regardless of motive,the end result is that a rogue insider is committing acts thatjeopardize the livelihoods of you and the other stakeholdersof your enterprise.

This is especially true of an information-intensive business.It's not difficult to imagine the enormous damage to yourenterprise if your customer list disappeared, your competitorsreceived a copy of your marketing plan, all your filesdisappeared or you had to scramble to rebuild your network.

In every case, the impact of all these things can be exponentiallygreater than simple lost productivity. In most of these cases, thedamage would be hard to calculate. Damage to your reputation,lost revenue and lost opportunities don't even begin to describethe mess a rogue insider can make.

Because of their trusted status, insiders literally hold the keys tothe company kingdom. For management, the idea that a singleperson can access and control the entire network from a cornerStarbucks anywhere in the world should be a source of great concern.

The first step of the process to protect yourself from the damagethat can be caused by a rogue insider is to identify your keyinformational assets, and then systematically determine whoneeds to have access to that information and for what purposes.With this information, you would begin developing andimplementing policies and procedures to provide the necessaryaccess to that information and the related systems.

Minimizethe HumanRiskMany business owners hire new employees and contractors,and assume that these individuals only have the best ofintentions and are of the highest character. It is importantto hedge your positive assumptions, with the right technologyand the right processes.

Scott Nelson, president of Employee Management Services,an HR outsourcing company located in Burr Ridge, Ill.,believes protecting your business from internal threats beginswith common sense. "Write your Acceptable Use Policy (AUP)down, make sure everyone knows about it and understands it.An AUP is an agreement between the business and its employeesthat outlines the terms of Internet and technology resourceusage and acceptable rules of behavior. Then enforce it with aneven hand," he advises.

In addition, eliminate the expectation of privacy. Let employeesknow that you are watching and monitoring what they send andview. Content filtering, e-mail archiving and even simple reviewsof Internet history can be very useful.

Try to understand what parts of your business are more valuablethan others-work to protect those assets with a combinationof process and technology.

Instituting effective employee due diligence procedures can alsoprovide your enterprise with an important layer of security.

Byprotecting your valuable inforfi?ation (assets) and technologywith strong hiring policy and processes, you address bothinternal and external threats. In the same way your firewallprotects you from threats from outside traffic, an effectiveemployment candidate due diligence process, coupled withperiodic post-hire updates, can provide protection from threatsposed by rogue insiders.

Mark J. Neuberger, a partner in the Miami office of BuchananIngersoll PC, goes even further by suggesting that ITprofessionals and contractors be interviewed and hired differentlythan other employees. "This means their backgrounds are subjectto greater scrutiny when recruiting and selecting," he says.

Extra level of VigilanceWhen recruiting IT staff, a heightened level of background andreference checking should become standard operating procedure.An important consideration in enhancing the due diligence ofyour recruiting process is determining who will conduct thechecks. Avoid the temptation to assign this critical responsibilityto your headhunter. A conflict of interest exists when the personcompensated for the placement is assigned responsibility forfinding reasons not to hire the candidate.

Neuberger advises that once hired, IT employees' activitiesand performance be subject to greater degree of vigilance andscrutiny. "There is nothing illegal with,this kind of differentialtreatment so long as the employee understands what is expectedand what will happen if their performance does not conformto these higher standards.

IT staff should be monitored and reviewed on a regularbasis. Management should maintain a basic understandingof security processes and should consider a regular securityaudit conducted by an objective third party. This processwill show what is on your system, how it is being used andwho is using it. Outside objective help may be needed toperform the audit and to insure that all security issues areaddressed. Audits reveal the latest vulnerabilities withinyour network provide critical checks and balances andoften provide remediation guidance.

In addition, identify and watch for the development of"situational precursors" that can often foretell futuremisconduct by an insider. Most people don't set out tolead a life of crime or otherwise act in a way that isdishonorable. Typically, this behavior arises when anindividual sees no acceptable way out of an unanticipatedsituation. Examples include financial difficulties, maritalproblems or a brush with the law. The trigger may also bean employment-related issue, or simply something as mundaneas a close associate who leaves the enterprise and entices theinsider to join him or her.

Termination ConsiderationsTerminations should rarely be an unplanned-for event. Atermination usually comes as a surprise to no one, often foretoldby one or more of the precursor events or circumstancesmentioned above. Similarly, it's most likely not news to anyonethat a termination, and the period leading up to it, is one of themost frequent periods of employee misconduct.

Continued on page 17

TECHOutiookIJ]]

Continued from page 13

To protect your enterprise's digital jewels, you musthave in place-and consistently execute-policies andprocedures designed to minimize the risk associated withthe termination of employment relationships. Naturally,these policies and procedures should be tailored to reflectthe varying responsibilities and sensitivities associatedwith different job functions within your organization.

Perhaps the highest degree of security should be employedwhen the individual facing termination is part of the ITstaff. The termination process should include measuresto ensure that, once terminated, an employee no longerhas access to enterprise resources.

The terminated employee's passwords and access codesshould be terminated simultaneous to the employee beinginformed of the termination. This will require closecoordination to ensure that a delayed termination meetingdoesn't result in unintended advance notice throughpremature access denial. A rogue insider tipped offto his imminent demise may take that opportunity toquickly destroy or leak critical enterprise assets priorto the delayed termination ultimately taking place.

Similarly, make sure that necessary personnel, includingvendors and contractors, have been informed that theemployee is now a former employee and is no longerentitled access to organizational resources andinformation. This can be done in a sensitive wayto avoid undue embarrassment to anyone.

Wrapping It UpThe risks posed by the vulnerabilities inherent in yourtechnologies cannot be ignored by any enterprise.Fortunately, there are realistic, cost-effective steps thatenterprises of all sizes can implement that can allow themto continue leveraging technology while mitigating therisks. Effective policies and procedures for managingthe insider risk is one sqch area ripe for attention.

While much of this discussion has focused on an employer!employee relationship in an IT department, many of theprinciples discussed have application to other operationalareas within the enterprise, as well as to insiders otherthan employees, as defined earlier. Due diligence,vigilance for precursor situations and managementof the relationship termination process should beapplied equally to all insiders.

In managing the insider risk to your enterprise'sinformational assets, by hoping for the best andpreparing for the inevitable, you can avoid the worst,and in the process, add value for yourself, yourenterprise and its stakeholders. +