Thursday, April 26, 2007

No Software Solution for Insider Attacks

Via ComputerWorld.com -

LONDON -- Of all the security vendors exhibiting at Infosecurity Europe 2007 here this week, none claim to be able to detect a major threat to enterprises: unhappiness.

Security software doesn't do a good job of detecting employees who may have a grudge against their companies. And often, those unhappy individuals are motivated by deep-seated human emotions: jealously, greed or desire for power, said Bob Ayers, an associated fellow at think tank Chatham House's Information Security Program.

Take, for example, the case of a loathed senior executive of a major European bank. In preparation for a new post, his computer was sent to the IT department, where a security officer said it contained child pornography, Ayers said.

The executive denied the accusation vehemently. Further investigation showed that the pornographic images were placed on the machine by the security officer, an act of revenge against the executive for firing the security officer's father years ago.

"We tend to view insider threats as something with the objective of gaining money or something that can be sold for money," said Ayers, who worked in computer security and intelligence for the U.S. Department of Defense for more than 30 years. "You need to consider other motives than simply financial."

Unfortunately, it's hard to detect employees who may be inclined to act maliciously within a company, said Stephen Bonner, head of information risk management at banking group Barclays PLC.

Ironically, the warning signs of bad employees can also be indicators of good ones: a willingness to work late, a desire to take on more responsibility and close interest in their colleagues' work, he said.

Bonner divided employees into three categories: those who will always do good, those who are mostly good but do bad things, and those who simply prefer bad behavior. Companies can help mitigate their risk by performing background checks and asking employees to take a pledge to act ethically.

Once on the job, managers can also take note of employees' actions. Those who act out -- after not receiving a satisfactory bonus, for example -- may be more inclined to seek retribution against their employers, Bonner said.

On the technical side, it's good to let employees know that their activities will be monitored. But there's a catch. If employees perceive they are being overly monitored, they may act differently, so the monitoring policy should be in line with the organization's work culture, he said.

The last recommendation seems like common sense: If companies treat their employees well, their employees tend to behave better. Addressing human resources problems directly can also help to avoid what could translate into IT problems later.

But companies will always have a certain degree of exposure. "There are people we have to trust in our organizations to work effectively," Bonner said.

No comments:

Post a Comment