The insider threat posed by malicious staff abusing technology or network resources must become the major concern for businesses.
But guarding against the threat is one of the most challenging and complex problems a business will face, according to attendees at the InfoSecurity show in London.
Stephen Bonner, head of information risk at Barclays, said there are four reasons staff may act maliciously: Ego; financial motivation; ideology and compromise, such as being a victim of blackmail. He warned history suggests around 5 percent to 10 percent of staff will always be drawn towards bad behavior, while the vast majority, if pushed, could also turn bad.
While motivations such as financial greed and acts of revenge driven by ego predate modern technology by some centuries, Andre Muscat, director of network security products at GFI software said technology has brought ease and greater scale which exacerbates the problem.
Ten years ago a rogue employee may well have stolen files or folders but now, said Muscat, "they may have an iPod and that's a device the size of a mobile phone, capable of holding the entire contents of a workstation".
With up to 100 million iPods in circulation and 100 million USB flash drives sold last year alone, according to Gartner, the potential for vast amounts of data leaving the business each day is growing significantly, said Muscat.
To demonstrate this point, he performed a 'pod-slurping' demo for attendees at InfoSec. By simply asking a colleague to print a file from a USB stick Muscat was able to steal his workmate's My Documents folder and all passwords saved on the machine.
The file was a genuine dot-pdf document yet in the 10 seconds it took to print 15 or so pages, the malicious program working in the background had made its data heist. Muscat didn't even need to touch his colleague's machine--he simply handed him the USB stick.
According to research from the Ponemon Institute, cited by Muscat, the average cost of a data breach during 2006 was US$4.6 million. The FBI's own stats suggest 70 percent of attacks last year originated within the organization.
Bob Ayers, associate fellow with the Chatham House information security programme, said many of the anonymous companies he works with have seen extreme examples of rogue behavior, such as a CFO who infected a network with malware to discredit the CTO who was a rival for a promotion to CEO.
Another example from a rival bank, cited by Barclays' Bonner, saw an employee go 'short' on shares, spending his entire life savings in anticipation of a fall in share price which he planned to engender through a series of digital attacks.
But much of the complexity in addressing these problems comes when trying to spot potentially rogue employees and differentiate them from other staff.
Bonner said: "Companies are advised to look out for staff who show a willingness to work late, who take an interest in other people's work and are keen to take on more responsibility."
The rogue employees' interest is in getting as much access to information as possible while appearing beyond suspicion. But, as Bonner, said that behavior is also in keeping with the profile of the model ambitious employee.
Among the measures companies must therefore introduce are having effective grievance procedures, said Ayers. He said businesses should also pay particular attention to staff once they have handed in their notice, ensure all access and permissions are revoked on their last day and consider what access they should have during their notice period.
However, too onerous monitoring could have a negative impact, said Bonner, and staff who feel they are being treated like criminals may choose to behave like criminals.
As such there is no simple solution or single answer but Ayers said companies must all increase their awareness of the issue and plan effectively for monitoring and stemming potentially damaging behavior.
Not all cases will be nipped in the bud and Bonner said companies must also plan for effective forensics and the gathering of digital evidence.
Will Sturgeon of Silicon.com reported from London.
Play video
» Ultimate virtualization blade
There are currently no comments for this post.