How Much Do You Trust Your Janitor?

3 Key Tips for Preventing an Inside Job

NOTE: This article originally appeared in the May 2009 issue of Flawless Compliance, under the "Hello Rubber, Meet the Road" section. The link to the actual issue is at the bottom of this article.

Just one inside job can put you completely out of business.

The janitor at my building has access to each and everybody’s office including mine. I wonder how many people would be devastated if the janitors decided to steal as much as they possibly could in one night. Under most circumstances I wouldn’t be necessarily devastated, but certainly impacted to a good degree. How about you?

Over 80% of all privacy leaks are caused by insiders, not outsiders. We spend billions of dollars trying to protect outside people from hacking in, while people on the inside are walking out the front door with sensitive information.

Obviously, janitors aren’t the only ones in the organization to worry about. Some of your database administrators have unrestricted access to every piece of information in all of your databases. And, if you outsource or even offshore this function, chances are you don’t even know who these people are!

And of course, even non-technical people can be an insider risk to your company. The people in your Finance department are surely intimate with insider trading laws, and for good reason. And what about your product engineers? What would happen if they farmed out your sensitive product information to your competitors?

But what can you do? To a large extent you must trust the people in your company in the same way I trust the janitor to leave my stuff alone. But what’s the best way to control against insider attacks?

What most paranoid companies start doing is infesting the company with productivity crippling controls in the name of “protecting the organization.” This is exactly what not to do. It doesn’t make any sense to create insurmountable access policy and authorization bottlenecks.

The challenge is to maintain high productivity and throughput of your workers, while simultaneously protecting yourself from insider attack. Yes this is challenging, but not impossible. The first mistake is thinking it’s an “either / or” situation, when in reality you can have your cake and eat it too, you just need to solve for it.

Here are my favorite tips for achieving maximum throughput while controlling the risk of insider attack:

Effective Controls for Insider Attack – Tip # 1: Use Preventive Controls Cautiously

Installing preventative controls for insider attacks is one of the biggest traps people fall into. For instance, to prevent a database administrator (DBA) from stealing sensitive HR information from the database, you might make a blanket policy that nobody has access to the database except one HR DBA. This DBA now becomes a bottleneck for anything HR related. What happens when the one DBA gets sick, or is out on vacation? You’re putting your entire HR database at risk.

Use a preventive control only when you know for certain that a certain action should never take place. For instance, personal identifiable information (PII) should never leave the company, so putting up a firewall to prevent this as PCI (Payment Card Industry) compliance suggests, is certainly appropriate.

Effective Controls for Insider Attack – Tip # 2: Focus Heavily on Contingent Controls

If you’ll remember, both preventive and contingent controls are proactive. However, the difference between the two is whether you focus on the cause or the impact. Where preventive controls will stop something from happening by addressing the cause, contingent controls will allow the risk to happen, but make sure the impact is minimized.

Of course you need to be careful with this approach, and make sure your contingent controls are effective; however, once set they work much better to control against insider attacks. An example of a contingent control for the risk that a renegade DBA will delete all the information in your company’s database; is having a standby database ready to go that the DBA doesn’t have access to. Contrast this to the preventive control of not allowing the DBA access at all.

Effective Controls for Insider Attack – Tip # 3: Make it Extremely Difficult and Unattractive to Execute an Insider Attack

It humors me whenever I witness a parent count to three when their child is acting up, only to get to three and do nothing but stare at them with a scary face. The child obviously knows this routine very well and has no real internal motivation to stop acting ridiculous. As a child, I never really had the luxury of a count or a stare. Once my dad figured out that I was getting into trouble, swift and acute action was taken.

Empty threats and ineffective controls compromise your ability to defend against insider attack. Nobody really cares what your policy says will happen, they care about two things: what are my chances of getting caught, and what will happen if I get caught.

Install a system of real time violation monitoring, and the minute offenders are identified go for the jugular vein. You need to send a very clear message to the organization that insiders will be dealt with swiftly and severely.

Insider attacks; whether they be insider trading violations, internal technical sabotage, privacy data theft, or the selling of company secrets; are a very real threat to your company that you need to take seriously. The key challenge is to protect yourself without imploding your company with policy and process hurdles. To accomplish this, focus on employing contingent controls and be cautious with the preventive controls. Finally, strike quickly and painfully when violators are un-surfaced. Following these three simple tips will put you on the right path to a safe and productive organization.