As the threat landscape continues to evolve in IT security, traditional perimeter defenses are becoming inadequate to fend off attackers, especially if the culprits are dwelling within the corporate walls.
While organizations remain hung up on building formidable fortresses to keep the bad guys out, incidents of insider breaches are rising. One recent example was the Bank of Canada identity fraud case that victimized eight of its account holders. The two people arrested for the crime were former employees of EDS Canada, the bank’s current outsourcer, according to the RCMP.
A recent survey by Forrester Research indicates that insider attack, such as the Bank of Canada case, may not be an uncommon scenario for many enterprises. According to Forrester’s probe of 83 IT decision makers, 53 per cent of data breaches in 2005 were perpetrated by corporate insiders. These insider attacks were caused by both authorized users exploiting their privileged access rights, as well as unauthorized company insiders.
Despite the high number of internal breaches, data protection priorities still linger around network and system protection, cited by 86 per cent as “high priority” in respondents’ list of concerns. User-related compromises, however, rank only third in the hierarchy of concern, at 73 per cent, according to Forrester.
“Comparing the fear of attacks and the frequency at which they occur, clear misalignments arise,” says Jonathan Penn, research analyst at Forrester and author of the Forrester report.
For instance, insider attack was the most frequently reported kind of breach, but it was only a mid-level concern among the respondents, Penn says. He suggests companies should keep a closer eye on employees by deploying monitoring tools that keep track of employees’ data access privileges and activities.
The same survey also indicates that companies will increase spending on identity management technologies in 2006 to protect information assets.
“Data breach disasters and compliance headaches have elevated enterprise security to a boardroom issue,” says Penn, adding that the role of the enterprise’s security group is also evolving beyond IT security to information risk management.
As companies wage this new battle to defend the corporate fortress against the insider threat, Canadian IT executives believe finding allies among the employee population is key. That means enforcing effective prevention policies that are as inobtrusive to employees as possible, while ensuring that security initiatives are well communicated and well understood.
Penn says by making employees “part of the solution and not part of the problem,” companies can enforce an effective information culture across the organization.
Self-policing culture
Since its inception, information security and privacy have been at the core of Smart Systems for Health Agency’s (SSHA’s) entire operation. Its CIO, Roman Olarnyk, admits the agency can sometimes “go overboard” with its internal controls and policies. But that’s the nature of the business.
As the agency mandated by the Ontario government to provide tools and services to facilitate secure electronic communications among healthcare providers, SSHA’s security initiatives are driven by the trust bestowed on them by those they serve.
“Even though the products and services we provide are enhanced in terms of high security and high reliability, at the end of the day, they’re commodity items,” explains Olarnyk. “If we lose that trust element, we’re not going to go any further.”
SSHA’s prescription for success is a combination of governance, policies and procedures, people and technology, says Olarnyk. And maintaining all of those elements involves a constant balancing act and a well-defined role that each one plays.
The chief privacy and security officer, for example, is responsible for developing and monitoring governance policies. The security management committee serves as the incident response “SWAT” team that gets mobilized in the instance of any suspected breach, says the SSHA executive.
A self-policing culture exists among the agency’s 350 employees. Everyone is obligated to “challenge” anybody that’s found to be in violation of the company’s internal policies.
“Security and privacy are constantly in people’s faces. That mindset in the organization is instilled very strongly,” says Olarnyk.
These policies are designed to reduce, if not eliminate, any risk of compromising sensitive data. Such rules include a “clean desk policy,” which requires all employees to empty their desks and printers before they leave for the day. All employees are also required to wear their badges at all times.
Access rights are granted on a role-based basis, Olarnyk says, which doesn’t necessarily mean higher positions get greater access privileges.
“Sometimes your title means nothing, especially from a security standpoint,” explains the SSHA CIO. “My badge does not give me access to the server room because I have no business being there.”
New hires go through stringent background checking as well, including one with the Ontario Provincial Police. The level of checks for new employees becomes more extensive as their exposure to client data gets deeper, Olarnyk says.
Intrusion detection systems, normally located at the perimeter level to prevent external threats from getting into the network, are installed “inwardly,” according to Olarnyk. That means the technology has been installed to monitor internal traffic, to ensure that no unauthorized access is taking place within the corporate network, he explains.
Insider threat, says Olarnyk, is a risk his firm cannot afford to ignore. “Oftentimes, people will build a high wall and say they’re safe and they stop at that point. But people do have to look internally and it’s a cultural awareness that people have to engage in.”
SOX mends holes
For Toronto-based Fairmont Hotels and Resorts, the realization of the risks posed by unmanaged and uncontrolled insider access came about two years ago when the company embarked on a Sarbanes Oxley-driven IT overhaul, says Vineet Gupta, Fairmont’s vice-president for technology.
“We did a lot of SOX IT controls over the last 15 months, which helped us put in controls from an access perspective – who gets access to what and what process do they have to go through to get that access,” Gupta explains.
The employees’ awareness of SOX and other compliance-related issues has made it easier for Fairmont to promote the virtues of establishing internal controls among the 12,000 users that have access to the company’s information resources.
Gupta says the first defense is establishing the “right ethics policy” by making the employees accountable for things that are within the scope of their responsibilities.
Access rights are also controlled and limited based on an employee’s job functions. A system administrator, for instance, would only have access to data and applications within the spectrum of IT management, Gupta says.
The hotel chain also monitors and controls usage of IT assets through locked-in desktops that are configured to prevent end-users from loading anything on the hard disk, says the Fairmont executive. “The des
