The National Fraud Survey puts estimates on internal attacks on U.S. businesses at $400 Billion per year,
illustrating a collective lack of accountability amongst those endowed with the power, authority and access
credentials to leak corporate data, whether it be maliciously or by accident.
In spite of such facts, tightening government regulations and heavy media coverage, many organizations continue to simply accept the risks, relying on the implicit trust that characterizes the security posture of so many organizations today.
In fact, in a January 2006 survey of 88 companies' insider-threat defenses, Aberdeen Group found "the majority of respondents have yet to implement technology to address insider threats-only 41 percent have done so."
The question becomes whether we can afford to continue down such a path, given the increasing liability and consequences surrounding internal fraud or data compromises. The reality is that organizations that hold sensitive data like credit card numbers, social security numbers, and invaluable intellectual property are being held responsible for such breaches by customers, partners, employees, shareholders, government regulators, and their competition. As a result, in a lot of cases this means security and risk management approaches are being found negligent and security teams are being held accountable. Quite bluntly, heads are rolling and organizations need to begin taking more proactive approaches, including implementing more effective technology and policy controls.
The dilemma faced by organizations then comes down to either eliminating the availability of services and devices
or monitoring what content is moving across such channels. While many security teams are opting to focus on network security and perimeter-based security, the primary vehicle in response to this situation has been the wholesale shutdown of applications, services and devices in lieu of potentially impacting the corporate culture with a content monitoring solution.
But is this the answer? As technological innovation continues, new applications, devices and functionality become available enriching our lives, and making our jobs easier, more pleasurable, or efficient. Is it a viable strategy to continue to just lock out such innovations as they become available, eliminating any potential value of the technology to business?
On the other hand, employers continue to struggle to strike a balance between monitoring criminal and negligent behavior on the desktop without interfering with corporate culture or violating the trust of employees. Monitoring employees is nothing new in the enterprise. According to the American Management Association (AMA) and The ePolicy Institute, the majority of employers monitor their employees, including things like their keystrokes, duration of calls, Internet usage, voice mails, computer terminals, or email. In fact, the AMA and The ePolicy Institute reports that 76 percent of employer's monitor their workers' Web site connections, 36 percent of employers track content, keystrokes and time spent at the keyboard. Another 50 percent store and review employees' computer files, with 55 percent of employer's retaining and reviewing email messages.
According to Nancy Flynn, executive director of The ePolicy Institute and author of E-Mail Rules, Instant Messaging Rules and other books related to workplace computer use, "Concern over litigation and the role electronic evidence plays in lawsuits and regulatory investigations has spurred more employers to implement electronic technology policies."
While historically, we've seen employee monitoring focused on measuring performance and productivity or protecting a company during an HR crisis, today we also see the prevalence of insider security breaches and identity theft forcing companies to expand their existing policies to monitor and prevent criminal and negligent behavior.
Behind this growth in monitoring policy is a business goal aimed at ensuring the continued viability and success of the company, which should be in every employee's long-term best interest.
While upsetting the collective culture is never a good thing, we must consider the organizational cost of monitoring activities, especially relative to the business critical issue of exposing the organization to substantial risks.
When one considers the employment of organizational monitoring the two primary conflicts are the potential impact
to company culture, and the issue of employee privacy. As illustrated below, continuous auditing of critical
communication channels like em-ail, Web, and IM, as well as the use of removable storage devices such as USBs and CDs
for potentially dangerous activity, is not necessarily an invasion of employee privacy, nor does it have to deteriorate the fabric of our organizational culture.
Enforcement Within a Culture of Trust
When it comes to monitoring, the effective enforcement of policies is no more a statement of distrust toward employees, than a culture of trust is reflective of some hollow stated goal spun out of organizational propaganda.
When executive leadership makes statements regarding how core to the companies success their employees mutual trust is, it is reflective of an attitude and level of respect that is established through the collaborative journey through the thick and thin that characterizes the business experience. Over time, sharing in such events and common achievements builds a level of understanding that results in a culture of trust.
If there is not a strong sense of team within your organization, where members feel they are part of a greater
collective, then there are larger issues and dynamics that need to be addressed beyond the implementation of a policy
enforcement tool. Surveys that gauge which factors are most important to an employee's satisfaction often quote employees relationships with their management as the top item. This reflects the fact that trust is an indicator of a series of direct relationships with people, and not of some intimate relationship with an inanimate business entity or its associated organizational policies.
Is this to say that there won't be any push back to the adoption of such monitoring activity? Clearly not, as there will always be a certain percentage of individuals with unfounded theories of big brother conspiracies. To mitigate the eccentric outcries and alleviate any escalation of feelings of distrust it is important to develop within your organization a clear understanding of the need for monitoring activity.
Understanding the Risk
The risk of criminal intent within an organization is real, and the problem is only compounded when one considers the additional risks of outside theft, accidental loss, or a social engineer taking advantage of a well-meaning employee. While there have been many publicized cases that clearly depict the need for effective organizational controls in the mass media, it is easy for employees to remain oblivious, as they are not attuned to the potential issues.
Until we know directly of some entity that a compromise has happened to, it does not quite hit home. This can make it difficult for us as individuals to draw an association with such events, effectively relegating them to isolated cases of a criminal few.
Once someone becomes attuned to the issues, they start seeing it in the news and media on a near continuous
basis. This type of sensitization to occupational fraud is also an invaluable asset in uncovering potential issues
within your organization; especially when one considers that according to the Association of Certified Fraud
Examiners nearly 60 percent of discovered fraud is uncovered through tips or by accident.
It also helps for employees to understand what drives and motivates data theft, the real value of the data they are protecting and the potential consequences if such data is compromised. Do your employees understand that a single customer account with an SSN has a street value in excess of $100? Do they understand that patient's lives can be at risk if medical records are used inappropriately?
By understanding the value of the various data surrounding them, exactly what is being looked for when it comes to policy enforcement becomes much more evident, a key element when it comes to employees concern for their own privacy.
Invasion of Privacy?
According to the
2005 Electronic Monitoring & Surveillance Survey from AMA and The ePolicy Institute, employers are doing a good job of notifying employees when they are being watched. Of those organizations that engage in monitoring and surveillance activities, fully 80 percent inform workers that the company is monitoring content, keystrokes and time spent at the keyboard; 82 percent let employees know the company stores and reviews computer files; 86 percent alert employees to e-mail monitoring; and 89 percent notify employees that their Web usage is being tracked.
The largest misconception is that there is a one to one correlation between monitoring and an invasion of employee privacy. It would appear that there is some fear that if we say we are going to watch for dangerous transactions on our desktops, that our personnel will take this as if they are bad people who need to be watched.
In a properly tailored system, what we are looking for are sensitive transactions or policy infractions. Such assertions conjure up visions of a sketchy individual in a back room looking in on everything an employer does to fulfill their own fanatical agendas. However, the intent is not to monitor "people" per say, but to motivate employee compliance by putting teeth in technology policies that if violated could jeopardize the long-term viability of the company.
Employers ready to minimize electronic risks and maximize employee compliance must start with written rules and policies that establish exactly what is considered sensitive data, and where it is allowed or not allowed to be moved.
These are generally established by a policy committee represented by stakeholders of various departments within an organization.
Again, the intent is not so much to watch the person, but to watch for potentially sensitive data movement or breach of policy.
Another factor to consider when entertaining the argument of privacy is the scope of entity. When one thinks of
"big brother" and privacy protection it is often in regard to a third party such as an organization or government
body that is looking in on our personal data. In monitoring enterprise computer systems, there is no third party
involved any more than there is in maintaining video surveillance of your own home. If you are an employee of an
organization that is "self-monitoring," you are within the collective scope of your company entity.
Recent legal cases have set an interesting stage in terms of the privacy expectation of employees. Effectively,
by not actively monitoring systems your organization is almost condoning, or at least creating, the reasonable expectation within your users that they do have privacy in their activities on your systems, regardless of signed documented policies to the contrary.
This reinforces the issue of the almost Golem'esqe computer user with their "precious desktop" syndrome. The
relative transparency with which users work has effectively created an ownership of what transpires within the
confines of the desktop.
With this mindset that typifies today's enterprise computer user, this transparent autonomy is potentially introducing much larger volumes of materials, applications, and devices of a personal nature that are actually putting organizations at risk.
Acceptable Use Enforcement
From a corporate perspective, the last thing we want on our network is unnecessary data of a personally sensitive
nature to our employees. In this regard content filtering alone is not enough; it must be backed by a tightly
coupled tool for the enforcement of Usage Policies, which help limit the proliferation of incoming personal data.
While users typically view acceptable use policies as bureaucratic restrictions, the reality is that these policies are designed to prevent intentional or inadvertent access to materials that could put either the organization or the user in a situation of risk or liability.
If there is no business justification for usage of a particular technology, then should it not be safe to
eliminate it? Consider Web mail sites. Clearly these have no business benefit, and actually pose a risk as a
potential dissemination point for sensitive data. Technologies to a large degree can enforce usage policies, limiting
access to things such as Web-based mail. In this we must be pre-emptive; reducing the risk that users will move
personal data between our systems and those of an un-trusted source. To some degree this actually reinforces the
corporate commitment to protecting an employee's right to privacy on non-corporate controlled systems.
Similar tactics can be applied in filtering for pay day loan sites, shopping sites, online banking, or bill
pay sites, which will help reduce organizational exposure to an individuals external activities. From a data
protection perspective, this type of blocking is particularly appropriate in financial institutions where employees
have open access to customer account records and routing numbers that could easily be used in place of their own.
Similar usage policies can be applied at the application or device levels. At the application level, the execution
of such things as instant messaging, P2P file sharing, media players, or unlicensed applications can be restricted. In
the case of devices, you may wish to lockout removable media where they do not provide some business utility. This can assist in alleviating the introduction of foreign files that may be in copyright violation, contain inappropriate materials, or worse yet introduce a virus or other piece of malicious software.
Benefits of Monitoring
As mentioned earlier, one of the core objectives of enforcing acceptable use policies was the ability to eliminate the threat from technology vehicles that provided little or no business justification. If there is no business case, and it represents a vector for the introduction or dissemination of potentially sensitive artifacts, restrictions should be appropriately enforced. Unfortunately the IT landscape is not quite so black and white. Often there are high-risk technology vehicles that must remain shut down even if they do provide legitimate business value.
Monitoring systems can actually be a boon to end-users as a source of technology enablement, as organizations
are afforded reasonable protection against the leakage of sensitive data across such technologies. Common victims of
such service blocking include instant messaging, removable media devices, Web browsing, or even the availability of
devices such as laptops or smart phones. Thin client or terminal services are prime examples in which the risk rich
environment of the desktop PC is simply eliminated.
By ensuring that sensitive data is not moving freely from your organization, monitoring solutions can alleviate the need for such drastic measures, enabling users to take full advantage of both current and emerging technologies in to the future. In the end this often results in the ability to improve productivity and can lead to quality and process improvement.
One such example is the ability for a monitoring solution to act as a policy education and awareness tool. Education
is an ongoing process in support of such policies, which is comprised of two elements: inform and reinforce. The process of informing generally revolves around the more traditional approach of educating users on policies through corporate communications and workshops. The process of reinforcement is something that may be effectively supplemented through interactions at the desktop layer, providing interactive feedback to a user when a potentially sensitive situation arises.
A recent example that indicates the ongoing need for educational activities involved a security test in which USB
thumb drives were populated with software that would provide its owner with backdoor access to a network. Of the 14
devices picked up from around the corporate campus, 14 checked in. A consultant shared an entirely separate test
activity in which users were educated on this specific form of breach prior to its execution. While the result
demonstrates a 30% improvement, in the end seven breach points had successfully been created.
The point here is that such education is an ongoing endeavor and not simply an act of dropping a policy manual on a
users desk. By utilizing real-time notification to users of policy infractions, you have established the ultimate
reinforcement tool. Consider a situation where a user is sending sensitive data outside of an organization
unencrypted. An alert box notifying them that they are sending e-mail outside of the company in an unprotected state will certainly build on their understanding of data handling practices, as well increasing awareness as to what an organization deems sensitive.
The Impact of Implicit Trust
As companies strive to create systems and policies that are inherently trustworthy, it is often the work of a trusted employee within the enterprise that can cause the most damage.
In its 2005 survey,
"The Global State of Information Security," PricewaterhouseCoopers found that 33 percent of information security
attacks originated from internal employees, while 28 percent came from ex-employees and partners.
A list kept by the Privacy Rights Clearinghouse in the
U.S. shows hundreds of data breaches since the highly visible ChoicePoint breach in February of 2005. Many of these breaches originated from within the organization, by what the list refers to as "dishonest insiders." For example, the Privacy Rights Clearinghouse sites the following:
- At one full-service securities firm, a former employee illegitimately accessed more than 100 customer records.
- A hotel's systems were compromised by either a dishonest insider or a hacker, exposing 55,000 records-names, addresses, credit card details, Social Security numbers, driver's license numbers and bank account data.
- A dishonest insider or possibly malicious software" accessed the systems of an Internet billing company, exposing names, phone numbers, addresses, e-mail addresses, Internet Protocol (IP) addresses, login names and pass- words, credit card types and purchase amounts online.
- At an insurance company, an employee accessed confidential data, including names, Social Security numbers, birth dates and addresses on foreclosure properties, and used the information for her own personal gain.
With critical communication channels like e-mail, Web, and IM quickly becoming tools of prey for "trusted" corporate users to leak confidential data to the outside world, secure, survivable and enforceable policies are key to strengthening the longevity of any company. This includes capturing electronic evidence for lawsuits, government agency investigations, as well as to ensuring industry compliance to maintain the trust of its customers, partners, shareholders and employees.
Creating a security-conscious enterprise requires taking a closer look at the dangerous activities taking place on the desktop, including policy violations over email, IM, file transfers, Web postings, printing, as well as the use of removable storage devices such as USBs and CDs. It's impossible to impose this kind of policy from the top down, but with forethought and purpose to build a culture of trust, employees will be more likely to embrace the need for monitoring techniques that prevent criminal and negligent activity.
About the Author
Sam Fleming is the software technologist (CTO) driving the development of NextSentry's flagship security products. His work has contributed to the development of ContextIQ, the core context-based engine behind StealthAgent, the desktop resident client that monitors activity and protects confidential information. Fleming joined NextSentry after successfully merging his technology company, A Perfect Web, Inc., with Next IT, NextSentry's parent company. Fleming was the founder and chief technology officer of A Perfect Web. APW provided cutting edge custom web and software solutions for customers in over 100 industries.