Traitors in the Office are More Dangerous than Hackers

Leaks of confidential information caused by company employees lead the companies to suffer enormous financial losses. Although many company managers understand the danger this threat harbors, they still don't take specific actions to prevent it. Today, this problem has traveled from the theoretical to the practical realm, and its efficient solution defines how successfully the information systems and, consequently, the entire company will operate.

"Insiders" Beat Viruses by Danger

Until recently, the corporate IT security problem - in particular, the issue of protecting corporate confidential information from employees' intentional and unintentional wrongful acts - was mainly considered a problem of the future. However, during the last two years, IT security specialists' concern on the sabotage, espionage, and employees' negligence problems that involve high-tech infrastructure has repeatedly multiplied and is now a key factor of corporate IT systems development.

According to the CSI/FBI Computer Crime and Security Survey's joint research, the amount of financial losses caused by leakage of information within 1000 of U.S.-based corporations participated in the poll exceeded $70 million. This figure has left other IT threats, including viruses ($27M), hackers' attacks ($65M), financial fraud ($10M) significantly behind and summed up in around 40% of the total registered loss amount. According to the same research, the amount of financial loss caused by the "insiders" averaged at $300 thousand, while the maximum amount reached $1,5 million.

Financial loss caused by different types of attacks. 2003, $
(Source: 2003 CSI/FBI Computer Crime and Security Survey; 1000 companies researched)

Ernst&Young confirms the trend in their annual Global Information Security Survey 2004, which reveals that IT professionals' greatest concern has mostly grown in the area of corporate internal threats. The respondents have put this problem to the second highest position on the list of the most serious dangers. 60% of the respondents claim employees' wrongful acts to be a real threat to information systems' normal functioning. This figure has left behind such famous topics as SPAM (56%), DoS attacks (48%), financial fraud (45%), and breaches in software security systems (39%); it only yielded to the viruses and worms threat (77%).

Top-10 information security threats
(Source: Global Information Security Survey 2004, Ernst&Young)

The Top-10 also includes other internal threats: leakage of customer information and other types of confidential information theft. Simultaneously, the human element was raised to the topmost position on the list of circumstances that prevent enforcing effective IT security policy.

Causes of the "Illness"

The corporate IT security problem can be measured in specific financial figures. According to Association of Certified Fraud Examiners, American companies in average lose 6% of their income because of incidents related to various data fraud or theft. In 2003, the amount of such losses has totaled approximately $660 billion. InfoWatch estimates about 50-55% of that amount relates to losses caused by employees' wrongful acts. Another Ernst&Young's research on the electronic fraud problems reveals that 20% of employees are sure of leaking of corporate confidential information caused by their colleagues. The supplied data is an obvious evidence of understanding the threat such employees pose. On the other hand, it turns out that corporate management does literally nothing to prevent this, giving this problem extremely low consideration. According to InfoWatch, there are several reasons for such paradoxical situation.

First, that's the high level of coverage of external threats (mostly, harmful software) by the mass media and active information performance of such security systems development. As a result, there are not too many chiefs out there who have never heard of virus epidemics, while there are not many of those who could brag about deep expertise in the area of internal threats. This opinion is shared by Ernst&Young's analysts: "We think, some of our respondents happened to be under influence of mass media messages and vendors dramatizing the situation by drawing elevated attention to viruses and worms while lacking focus on the other dangerous threat, the insiders".

Second, that's the high level of latency (concealment) of such crimes or low level of disclosure of them. Experts evaluate the level of latency in cyber-crime in the U.S.A to reach 80%, in the U.K. - äî 85%, in Germany - 75%, in Russia - over 90%. Extrapolating this data, we can affirm that statistics appears to be reflecting just about 10% of the crimes. Ernst&Young are less skeptical in estimating this figure; they define the latency at the level of 45%, explaining this value by the fact that most corporations, having found such incidents, prefer to not make them public in order to avoid harming their market positions, public image, and negative effect to their stock price at the stock exchange. It is also obvious that as corporations continue to develop and expand, more opportunities for stealing information appears, while the risk of being caught by hand diminishes. Taking this into account, how many intrusions and the losses caused by them remain unnoticed? Companies should acknowledge that they simply do not know that.

"Many companies do not even conceive, what exactly harms them, and what are the losses. While the alarmists focus users' attention on the external threats, supporting those with their doubt-worthy estimates, the companies' greatest threat derives from the insiders - employees' wrongful actions, negligence, oversight, etc… Since majority of insider incidents are carefully concealed, companies are often not aware of being attacked from the inside." Concluded Edwin Bennett, the CEO of Technology and Security Risk Services of Ernst&Young.

Finally, the third factor for lack of attention to solving the internal attacks issue is literally complete absence of complex internal-threat defense systems; in particular, those for preventing leakage of confidential information. It seems, customers do have interest to this area, but lack of technological solutions makes them seek for other, adjacent solutions (e.g., use anti-SPAM systems for content-based filtering of confidential information) or completely hold on with deploying of such systems. As the result, according to Ernst&Young, almost 100% of the respondents have confirmed they had AV software in their corporate networks, 71% - anti-SPAM systems, but none has mentioned internal threats and having protection from those.

Protect Yourself on Your Own

To minimize risk of losses caused by the internal threats, one must take a number of technical, administrative, and educational steps. Only the combination of those that matches the company's specific tasks and scope of activity, create an effective response to the new challenges. Unfortunately, none of the above-mentioned threats is properly estimated. The greatest progress can be reported in the area of educating users to the basics of IT security. However, things are not as good as they could be even in this area. Almost 70% of companies did not include personnel training in the list of priority directions of IT security development, and more than a half of the companies do not conduct the trainings at all.

"It is difficult to overestimate the importance of personnel training. At the same time, we must not forget about technical means for controlling the use of confidential information. Otherwise, unreliable employees may have uncontrolled liberty to manage data within their area of competence." Eugene Preobrazhensky, the general manager of InfoWatch, said. Today, the internal-threat defense market just makes its first steps. The great demand for complex solutions for preventing leakage of information via the most dangerous channels - e-mail, Internet, mobile data carriers, document duplication means - is obvious. "We think that the next few years will be marked with the advent of principally new market of IT security system software, Anti-Leakage Software - the specialized solutions for controlling confidential information and preventing leakage of it." Eugene Preobrazhensky added.

The principal difference between the Anti-Leakage Software and other IT security area is its clear focus on preventing information leakage and its combination with adjacent areas. These solutions' key elements will include content analysis of mail and web traffic, control over document operations on the workstation level, and centralized setup and management system. Customers will be able to choose between several realizations of the IT security system's internal structure available. For instance, scanning of e-mail correspondence can be carried out on a dedicated, special IT security server (combined with the AV and anti-SPAM traffic checkup) or directly on the e-mail gateway. Similarly, the web traffic filtering can be realized on the proxy-server or corporate firewall alike. The last, in its turn, can perform the full-scale verification of company's whole data flow.

Unlike similar content-analysis solutions, Anti-Leakage Software is shipped with a filtering base available, which contains key words and phrases that are confidential for a specific company's specific conditions. This assumes close cooperation between the customer and developer's specialists and carrying out required works on the system installation, setting up, and maintenance. Along with that, availability of box solutions for small and medium businesses is not being avoided.

Control over document operations on the workstation level is the Anti-Leakage Software's unique feature. It allows preventing leakage, distortion or destruction of confidential information from users' computers. For example, copying data to removable media (compact disks, diskettes, USB-drives), document printing, opening, editing, etc. Should employees' wrongful actions be detected, the warning on the incident will be immediately sent to the respective IT security officer to let him take the required defense actions.

Besides differentiating access rights, the Anti-Leakage Software can as well keep track of document operations within certain appointed officials' competency. Thus, investigating information leakage cases, the officers in charge will be able to carry out a through, comprehensive analysis using the operations log. The Anti-Leakage Software's centralized management system will let security officers manage the system from a single remote terminal. This lets one save their customer's resources and makes the update and control processes extremely quick and efficient. One of the required items will be integration with other corporate management systems - such as OpenView, Tivoli, and UniCenter. This will ensure maximum compatibility between the Anti-Leakage Software and the company's existing IT infrastructure.

Using the special software, you should still keep in mind that organizing efficient corporate data protection is not possible without organizational improvements. In particular, the customer company must issue a number of documents that describe the electronic confidential information usage policy, and conduct personnel trainings on a regular basis. The policy must describe types of information stored and processed in the customer's information system, assign each type of information its confidentiality category, and define rules and regulations for using that information. As the result, the company will have the normative base for its internal threat defense system, which brings it to compliance with the current law.

Dennis Zenkin / CNews.ru