Firewalls and antivirus software won't stop an angry employee from stealing data, or a sloppy one from accidentally exposing it.
Staff Writer, CNET News.com
A company's biggest security threat isn't the sinister hacker trying to break into the corporate network, but employees and partners with easy access to company information.
Just ask Apple Computer, which filed two lawsuits in December accusing insiders and partners of leaking proprietary information. In one case, Apple is suing two men it says distributed prerelease versions of Tiger, the next iteration of Mac OS X. In a separate action, it is suing unnamed individuals who leaked details about a forthcoming music device code-named Asteroid.
Apple's not the only company that's found sensitive internal information leaked to the public. Big names such as America Online, Microsoft and Cisco Systems have also been victims. Research indicates that most security breaches are inside jobs. A recent Ponemon Institute survey of 163 Fortune 1000 companies found that roughly 70 percent of all reported security breaches were due to insiders.
"It's much more glamorous to think of the hacker who works for some large cyber-crime ring," said Larry Ponemon, head of the Tuscon, Ariz., think tank. "But in reality, those characters only make up a small percent of the problem."
For more than a decade, corporations have erected digital perimeters to keep outsiders off their networks. But now discontented, reckless and greedy employees, and disgruntled former workers, can all be bigger threats than the mysterious hacker. And as more companies outsource portions of their business, vital company information can easily fall into the wrong hands.
Securing information from the inside has been largely overlooked by many companies. But headline-grabbing incidents such as the one at Apple, along with new federal and state regulations for protecting private information, are causing many companies to rethink their security strategies from the inside out. As a result, a whole new class of products has sprung up aimed at keeping employees and other insiders from sending confidential information outside the company.
Developing new techniques
In addition to products that control who gets access to what information, a slew of new start-ups focus on securing digital content and watching where it goes.
Products in this category vary in their approach. Some focus solely on protecting intellectual property from being leaked, while others also perform forensics analysis, digital rights management and security policy management.
Some products from companies like Vontu and Vericept act as gateways in the network to track sensitive information that is being sent outside of the network. They monitor e-mail, instant messages, FTP files, and other electronic communications on corporate networks, sniffing for leaks of Social Security numbers and other sensitive information.
But gateways aren't perfect. They only prevent information from being electronically sent over the network. They do nothing to prevent people from downloading files or printing documents.
Jon Oltsik, senior analyst with Enterprise Strategy Group, says technology must also exist on PCs and other devices not only to monitor what data is traversing the network, but to establish and enforce policies regarding printing and downloading information onto disks or USB devices.
"There isn't one technology that will solve this problem," Oltsik said. "You really need to take a combination of approaches."
The no-tech Trojan horse
Once inside a company or one of its partners, a trusted employee can do enormous damage. Often such leaks disclose the most sensitive of data.
"Insiders know where the information is located and how the security systems work," Oltsik said. "They know what information is valuable and what's not."
Matching the figure from the Ponemon study on corporate leaks, Michigan State professor Judith Collins found that 70 percent of all identity thefts she studied started with the theft of personal data from a company by an employee.
It takes only one rogue employee to put a company at risk, said Brian Tretick, a principal at Ernst & Young who works in the Privacy Assurance and Advisory Services group. One of his clients had an incident recently in which an employee in the human resources department took home documents that included Social Security and bank account numbers. The employee's brother coerced her into giving him access to the information, which he used to get credit cards and fraudulent accounts.
Several big-name companies, including Apple, Cisco and Microsoft, have had problems with internal information being leaked. In addition to the suits mentioned earlier, Apple is suing a Mac enthusiast Web site it said solicited insiders to break confidentiality agreements and leak information.
In June, authorities arrested a former AOL employee for allegedly selling 92 million AOL screen names to a spammer. He supposedly gained access to the data using a co-worker's identification code.
In November, a Connecticut man was arrested on charges of selling Windows 2000 and Windows NT 4.0 source code stolen from a Microsoft partner. He now may face up to 10 years in prison and a fine of $250,000.
Some of Cisco's IP router source code was leaked to a Russian Web site in May. It's unknown how the information got out, but some suspect an employee or partner may have leaked it.
The company found out about the fraud when employees affected by the scam compared notes and realized the information had been leaked from their employer. Only about 100 employees were hit by the scam, but because the company wasn't certain which workers had been compromised, it was forced to notify everyone. The company set up a 24-hour hotline to answer questions from employees. It is providing free credit reports to all workers for at least one year. It also changed some of its business processes to prevent future breeches. In the three months after the fraud was detected, the company spent more than $2 million to mitigate the effects, Tretick said.
The Association of Certified Fraud Examiners estimates that a typical U.S. organization loses about 6 percent of its annual revenue to fraud, according to Ernst & Young's global security survey published in September. When placed within the context of the U.S. gross domestic product for 2003, that amounts to roughly $660 billion.
"Companies are really conflicted about how to handle the internal threat problem," Tretick said. "They want to make their processes open and easy so they can run an effective business. That often means putting trust in the people who work for them. But all it takes is one bad apple."
The long arm of the law stretches
Over the past couple of years, outrage from customers and clients victimized by these schemes has spurred legislation at federal and state levels. New laws, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and California's Database Protection Act of 2003, have made companies legally responsible for protecting individuals' personal information housed in their databases.
The Ponemon Institute's data security study asked respondents what type of leaks they'd suffered. Because respondents could cite more than one category per incident, the percentages don't total 100.
22 percent of leaks involved customers' personal data.
10 percent involved workers' personal data.
39 percent disclosed confidential business data.
14 percent leaked intellectual property, including software code.
16 percent: "Other."
While protecting personal information has become an important legal issue for companies, other sensitive information, such as intellectual property, leaked by insiders to competitors or to the public, can also have devastating financial consequences. The problem has become even more important as companies, particularly those in technology, increasingly outsource work.
"A lot of these outsourced employees have access to huge amounts of sensitive data," Ponemon said. "It's easy for them to download files or print them out and put them in a briefcase and carry them outside. In places like India or Latin America, where they are paid far less than counterparts in the U.S., stealing information and selling it can seem like (just) another source of revenue."
Most internal security breeches aren't the result of rogue employees, but are rather the result of negligence or error. Of the internal attacks cited in Ponemon's report, about almost 40 percent occurred because well-intentioned employees inadvertently caused security problems by how they handled sensitive information. Only 30 percent were attributed to malicious employees.
"Most internal security issues are due to organizational sloppiness," he said. "These aren't bad people. They are just trying to get a job done, but they aren't considering all the consequences to their actions."