How can you protect the company from internal threats?
03.04.2018
The personal information of up to about 20.7 million customers have leaked from Japan’s largest provider of correspondence education for children Benesse Holdings Inc. Based on an in-house investigation, Benesse said it suspects an insider who is not an employee had leaked the information that includes names, genders and birth dates of children.
In 2015 an employee of the Australian Immigration Department leaked by accident the personal data such as passport numbers and visa details of all world leaders attending the G20 Brisbane summit - Barack Obama, Xi Jinping, Vladimir Putin, Angela Merkel, David Cameron and many more.
The breach happened to Vodafone. As investigation showed that one of suppliers used its privileged access to a server located in Germany and copied customer names and bank account data of two million customers.
Incidents when the threat to the company comes from its own employees happen more often than it seems. They are highly dangerous because the intruder is a person from within, familiar to the structure of the company. He knows what data the most valuable is and where it is stored.
Types of fraudsters
There are two types of threats to the company security – internal and external. The goals of the attackers do not differ in both cases - they act for the sake of material gain. The difference lies in the ways of causing damage and its scale.
‘External’ fraudsters are trying to introduce malware into the company's network. Such attacks usually do not cause significant damage - actors attack several organizations or individual users using the same algorithm.
For example, they seek for vulnerabilities through all web sites where a particular content management system is used. If the vulnerability is not fixed, the attackers inject code that may redirect users to malicious sites or start crypto-currency mining processes on users’ computers.
Much more dangerous are target attacks aimed at specific companies. In this case, the attackers preliminarily collect any given information about the organization and test it for vulnerabilities.
The employees of the company are engaged in internal fraud. We can divide such fraudsters into three types:
- “Offended”. As a revenge to a boss, the offended one may sabotage the work of the organization. For example, leaving the company he may take away the database and publish it.
- Fraudsters that pursue personal gain. This type includes those who do kickbacks, take bribes, work with affiliated persons and use other ways to obtain personal benefits at the expense of the company.
- Embedded or recruited insiders. There are company employees who colluded with competitors. The situation occur not so often but could cause fatal damage.
The third group may include employees who have made a leak by accident (attach a wrong file to a letter or send an important letter to a wrong mailing group).
Fraudsters most often steal customer databases, designed solutions, blueprints, parts of the code and information of tenders.
It is possible to disclose insiders or employees that pursue personal gain through careful studying of the company’s internal workflow. Oddities in accounting papers could be a sign (missing papers, strange discounts and copies instead of originals) as well as non-typical behavior of employees - for example, unreasonable "attachment" to some client or sudden appearance in luxury things.
These signs may not indicate fraud, but a security officer have to conduct an investigation after their detection.
It is impossible to control fully the workflow and monitor the behavior of employees in manual mode – to manage this you need use DLP systems. We are just working on the development of such a product - Falcongaze SecureTower. Using our experience we will tell you what it is and how to work with it.
DLP system is a product designed to prevent information leakage. The program analyzes data streams in the corporate network. When something suspicious happens the program blocks the transmission or notifies the security officer. Moreover, modern DLP systems can find unreliable employees.
It is common that the violations are detected just after the first DLP testing is made– contracts on kickbacks completed right at workstation; confidential information send to competitors; the company's equipment used for cryptocurrency mining; gaming and job on the side.
Security aspects
The earlier the company top management starts to think of information security the safer it would be. In small businesses the head of the company is usually handle this issue. Further growth requires a security specialist to be hired.
Roughly, we may divide the company's security into three aspects that work together: paper, organizational and technical work.
The first aspect involve lawyers. They work out a security policy and a list of information that is a trade secret under the applicable law. The policy specifies the basic rules of the company. For example, they to point out that the workstation should be used for the job responsibilities only.
After the list of confidential information is complete, the NDA (nondisclosure agreement) between an employer and employee should be signed. It is highly important for a company of any scale to do so. This is one of the tools for legal regulation of the relationships between the employee and the employer.
If the company monitors the employees’ activities, additional appendixes or amendments according to the legislation of most countries are required. Employees are to agree that their actions will be under control.
HRs along with the security officers cover the organizational aspect of company’s security. They implement clear regulations about what an employee should do and should not. Also, their responsibility is to analyze the incidents and do trainings - how to use anti-virus software and not to get caught by phishing messages.
Communication is very important here. It is common to think of security personnel as opponents that disturb with their requirements and interfere in working process. If the head of business do not explain why the rules are introduced, they are more likely not to comply.
The DLP system helps to check have the employees adopted the new rules and to detect those who continue to violate the regulations. You can conduct additional training with them and if the case is completely hopeless then you have to impose sanctions.
The technological aspect includes not only firewalls and DLP systems, but also many stuff like video cameras and antiviruses.
With the help of these tools, information for internal investigations is collected. DLP system stores logs and messages of the fraudster, and video surveillance shows that exactly this person used the computer. The data obtained through that can be used as evidence in court.
In addition, the system also operates in the active mode. If someone tries to send a confidential document by email, the DLP will block the transfer and notify the security officer. Interactions with a competitor could be revealed through dictionaries and the partial coincidence of the transmitted data to a confidential information or "splash" of messages via Telegram.
According to the common view, the employer does not have the right to read letters and messages of employees. In fact, any correspondence through the company's computer is considered associated with a job. So it can not considered as the interference in private life. The European Court of Human Rights has confirmed this position.
American view on the topic: Privacy Rights vs. Employee Tracking
At the same time, monitoring does not mean that the boss along with the security officer will read all the send messages - DLP makes the analysis, not the person. The officer steps in if the user begins to behave suspiciously. Moreover, only responsible officer under regulated terms has the access to the correspondence. Simply he does not have the right to get in private messages not related to security issues.