Many companies focus their security strategies on keeping outsiders from getting into the network. Yet a large percentage of serious security breaches come from within. Some of these are deliberate and others are unintentional, but either way they can put your network and the data on it at risk and result in lost productivity and/or direct monetary loss.
As your business grows, it's important that your security strategy be able to evolve to meet your changing needs. This is especially true when it comes to protecting against internal threats, because the methods that work in a small company environment generally don't scale well as the organization gets larger. Let's look at how you develop a scalable strategy for preventing internal security breaches.
A threat that evolves
When a company is small and has only a few employees, internal security breaches may or may not be less likely to occur and easier to detect than in a larger organization. There are several reasons for this. In the small company environment, managers and employees work more closely together so that there is less opportunity for intentional breaches. There is often less specialization, so that employees work together, share computers, etc., rather than each worker handling just his or her "piece" of a project or a narrowly defined set of tasks. This also reduces opportunity and makes detection more likely.
On the other hand, employees in small companies often are given more autonomy and managers may be more trusting. In those cases, there is a golden opportunity for the employee who wants to do so to steal data or bandwidth, or use the network for personal web surfing, emailing, chat, and so forth—all activities that can expose the network to risk. And the small company is less likely to have a dedicated IT department or security personnel to put technological security measures into place, and also less likely to have detailed written policies governing employees' use of the network.
So while the relative anonymity of employees in a very large company may make it easier in some ways for them to breach security, they're more likely to run into preventative measures (such as computers that are locked down more tightly, firewalls that are configured more securely and so forth).
Assessing internal threats
Internal threats can be divided into several different categories. For example:
- Corporate espionage: employees may be recruited and paid by the company's competitors to steal data
- Malicious/disgruntled employees: current and recently terminated employees may wish to do damage to the network because of a grievance they have against the company
- Unintentional breaches: employees put the network at risk by installing unauthorized software, opening virus-infected email attachments, succumbing to social engineering attacks, etc.
You may also classify non-employees with physical access to the network as a form of internal threat. Examples include contractors and "temp" workers, vendors, even janitorial service personnel and others who work on your site but are not actually employed by your company.
Security policies that evolve as you grow
The best way to create policies that can address these types of threats in both the small and large company environment is to implement a multi-layered strategy right from the beginning. Your policies should address both behaviors and technologies.
Policies targeting internal breaches should address such issues as:
- Policies governing the use of external removable media such as floppy disks, flash drives, USB/Firewire hard drives, CD/DVD burners, and so forth. Many internal breaches occur when insiders copy company data to removable media, or bring in removable media from which they install programs or upload data to the network.
- Email attachment policies. A large portion of internal security breaches occur when someone on the network opens infected attachments, or sends confidential company data outside of the network via an email attachment.
- Printing policies. If unable to send or take company data in electronic form, insiders may print the information out and take the hard copy.
- Download policies. Many inadvertent security breaches are caused by those on the network downloading information from the web that contains malicious code, which then provides external attackers with a way into the network.
Enforcing policies to prevent internal threats
It's not enough to issue a set of written policies dictating that "thou shalt not..." The second layer of your security strategy should be to enforce the policies technologically whenever possible.
You can physically remove or disable removable media drives, card readers and such from the computers of users who don't need them. You can control the use of portable storage devices with software solutions such as GFI'sEndPoint Security (formerly Portable Storage Control). You can set firewall policies to prohibit incoming and/or outgoing email attachments, or to allow only attachments of certain types. Content security filters can examine attachments and flag those that violate your policies. You can restrict access to printers, and place printers in supervised areas to make it more difficult for users to print material that they shouldn't. You can use solutions such as Microsoft's Rights Management Services to restrict the ability of internal recipients of email and Office documents to print, copy and forward those documents. You can configure firewalls to prohibit visiting known dangerous web sites or to allow users to visit only known safe sites.
The key points to developing a scalable strategy to prevent internal security breaches are:
- Don't overlook the risk of security breaches from inside the network
- Develop written policies specifically aimed at internal threats
- Distribute the policies and ensure that users sign off on having received them
- Reinforce the written policies with training to prevent unintentional breaches (for example, educate users on safe surfing practices, the dangers of opening unknown attachments, how to recognize a social engineering ploy, etc.)
- Enforce the policies with technological controls whenever possible
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.