Sidebar: More Tips for Preventing Insider Abuse

Here's a variety of expert tips on preventing security breaches by employees:

  • Formulate strong policies. Create, publicize and enforce clear policies explaining what constitutes "abuse" at your installation. Be clear, too, about what you are prepared to do if someone breaks the rules. -- Mark G. Graff, chief cyber security officer, office of the CIO, Lawrence Livermore National Laboratory, Livermore, Calif.
  • Conduct background checks. Check backgrounds on all employees who handle sensitive data. Background checks also serve as a deterrent for potential employees. -- Jose Granado, partner at Ernst & Young's Security & Technology Solutions practice, Houston
  • Identify dormant IDs or orphaned accounts. Install or create a system for actively checking for and deleting out-of-date IDs/accounts and/or inactive users. -- Jeff Drake, director of Tivoli security strategy, IBM
  • Understand your network. Be aware that the distinction between "insiders" and "outsiders" isn't as clear as it once was. That key supplier (the one you punched a hole through your firewall for) is best regarded as an insider. What about a customer making an online purchase? It depends on how well you have insulated your "inside" orders database from your "outside" Web server. If you think of your network as housing a similar mix of people as you find on your grounds and inside your buildings on a given day, you'll be on the right track to visualizing the insiders you need to protect against. -- Mark G. Graff, Lawrence Livermore National Laboratory
  • Never assume that data behind a firewall is protected. Many companies leave systems wide open to internal access and hence vulnerable to abuse by internal users, or to external users who have gotten past the firewall. Make someone within the company responsible for defining acceptable use policy -- many companies have a chief information security officer -- and give him power to enforce such policies. -- John Heimann, director of security, Oracle Corp.
  • Collect historical data for individual employees regarding network activity and file access attempts and then employ a formula to calculate a risk factor for each event, providing an interface to rank risk factors and sort by employee. -- Joel Rakow, eCrimes practice leader, Tatum Partners, Los Angeles
  • Ensure that information access policies reflect the principle of "least privilege." That is, people shouldn't have access to information that they don't need in order to do their jobs. -- John Heimann, Oracle Corp.
  • Promote awareness. Make sure that all the people who have access to your computing resources know what is expected of them. That means more than just adhering to policies. They also need to know how to lock their screens (or log out) when they leave their desks so that other "insiders" can't use their access rights to make mischief. Train them how to spot suspicious activities around them. -- Mark G. Graff, Lawrence Livermore National Laboratory
  • Automate the lines of communication between your IT and HR departments. The IT department will need to have real-time notice of pending layoffs or restructuring in order to determine which accounts need to be disabled or suspended. -- Jeff Drake, IBM
  • Establish a data classification program to ensure that the right amount of protection is allocated to the right data. -- Jose Granado, Ernst & Young
  • Restrict, where possible, the size of storage for all employees. Where storage exists, ensure that stored material is regularly reviewed and compliant with company policy. -- Mark Payne, vice president, group security team, Cable & Wireless PLC, London
  • Conduct log reviews or activity reviews. Keep track of activity on the inside. Monitor review logs for activity leaving the organization or coming in. Who is accessing what file and directory? Why are they accessing critical data? More times than not, we give employees an automatic level of trust. -- Jose Granado, Ernst & Young
  • Monitor file sizes of mailboxes and personal files. Flag incoming mail containing .jpg, .gif and .wav files for review. Filter spam. Filter Web sites. And limit the bandwidth available for MPEG files. -- Greta Ostrovitz, director of IT, Cadwalader, Wickersham & Taft LLP, New York
  • Restrict Internet access by employees to "view only" and ensure that corporate firewalls don't allow downloading of material -- such as pornography, illegal software and viruses -- that may cause the company loss of reputation or leave the organization open to legal action. -- Mark Payne, Cable & Wireless
  • Try to make sure that the handling of critical security functions is done by two people (e.g., delivering backup tapes to off-site storage). For example, don't leave a single unmonitored insider in charge of private data. -- Rich Salz, chief security architect, DataPower Technology Inc., Cambridge, Mass.
  • Separation of duties: Any single person responsible for systems/network administration, security and backups holds the keys to the corporate kingdom. No one should have that much power without a series of checks and balances in place. Preferably, policy would establish a separate security department reporting directly to the CIO or higher, providing management, oversight and monitoring of the security process. At the very least, responsibility for critical security events such as system administration and control of backup media should be split to separate, specified groups. -- Julie Lancaster, director of marketing, Visualware Inc., Turlock, Calif.
  • Convert physical access control devices so they're network-enabled, so physical access events can be correlated with network events and file-access attempts. Convert analog surveillance systems to digital video and configure them to detect persons moving out of the standing position to sitting, crouching, etc. Correlate this information with other physical access events, network events and file-access attempts. -- Joel Rakow, Tatum Partners
  • Form an investigative team made up of people trained to identify issues when they pop up and bring the situation to a conclusion. The response team should understand IT security as well as physical security. -- Jose Granado, Ernst & Young
  • Create tiger teams of ethical hackers that can be used to find vulnerabilities in your company's systems. These can be people within the company, ideally separate from those who are responsible for developing or deploying the systems, or they can be third-party security research companies brought in for this purpose. -- John Heimann, Oracle
  • Ensure strong physical security measures. Security guards can ensure that workers and visitors have the proper credentials upon walking in and out of a building, as it is with airport security. Random bag inspections upon exiting could turn up stolen disks of data, peripheral equipment, etc. -- Jose Granado, Ernst & Young
  • Limit access to certain functions, such as copy/print/fax/scan to authorized users only. Protect multifunction devices from hacking by using secured network interfaces. And automatically erase the document data retained by office equipment to help prevent it from falling into the wrong hands. -- Peter Cybuck, senior manager of business development, Sharp Electronics Corp., Mahwah, N.J.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon