Securing Against Internal Data Theft

Significant amounts of time, resources and effort are put into securing the network perimeter; however this leaves a "soft" network center which is an attractive target for internal hackers and thieves. There is no better example of an internal security nightmare than the Wikileaks "Cablegate" affair, where a lowly clerk in the US Department of Defense is thought to be responsible for the electronic theft of over 250,000 secret, confidential and certainly sensitive diplomatic cables from US Embassies all over the world.

Protecting company information and data involves more than establishing secure firewalls and security at the gateway. Security is a state of mind rather than a piece of hardware or a complicated software solution. Every company should reassess what the risk to company data is, and the potential threats they face.

Internal threats come in the form of company staff, contractors with access to the network and opportunistic thieves. The threat is intensified because modern memory storage devices can hold immense amounts of data, but at the same time, downloading information is extremely fast. It will take seconds for an USB stick to be attached to a desktop PC and download company financials, projections, market estimates, opportunity and risk analysis, payroll data, email archive or your entire customer database.

Mobile storage devices are not restricted to USB sticks either; Smartphones have storage capability, a USB storage device may be part of something as simple as a wristwatch and even an iPod can be used to steal data off the network.

The issue becomes how do you control use of mobile storage devices and the practical answer is that you cannot, at least, not effectively. There will always be instances where staff productivity requires they be allowed to use USB sticks to transfer information and carry files and company information, so how do you secure your data against an internal threat?

The solution is to implement policies for staff and external parties to follow when using your network and accessing your data. Mobile storage devices can be restricted, and there are IT solutions to manage their use, however even with a highly secure network, there will always be security holes which can be exploited.

There should be strict access policies so that data is only available to those who actually have a real need. As one commentator has put it with the Wikileaks saga, sharing "secret" information with 3 million users means they were never secrets to begin with. Where and how you store your information is also an issue; the US government agencies involved, notably the US Departments of State, Homeland Security and Defense, were trying to "share" information to avoid missing out on opportunities to capitalize on intelligence assets. The unintended, but foreseeable consequence was that sensitive information which many of the millions of users (over 3 million) had no need to access in any situation.

The Cablegate case also demonstrates how data needs to be properly classified as well as managed. One criticism of the US government's handling of the security exploit is that so much of the information was classified as confidential or secret, when in fact it was nothing of the kind. Restricting information for the sake of it may have political and civic issues, but another viewpoint is that information was not appreciated for what it actually was. When you classify all data as sensitive, it becomes easy for people to take security for granted when you are protecting the names of the company bowling team or the birthday list for employees.