While the FBI claims hackers were behind the Sony Pictures breach, other experts suggest the attack was from a more sinister source: a malicious insider.
Malicious insiders intentionally take confidential institutional data for their own purposes. They can be current and former employees, contractors, business partners, or anyone with access to the organization’s confidential personal or corporate information. So it’s critical for organizations to enter into employment and contractual relationships with the end in mind.
At the outset of the relationship, organizations must treat all employees and contractors as potential threats in order to protect institutional data. It's helpful to consider the approach airports take with their security: They are skeptical of all travelers and take extra precautions to ensure the security of all.
Here are three key ways to protect your organization from insider threats:
1. Limited Access
In airports, access to certain areas and information is limited. Using technology and physical locks, an organization can do the same. Access controls should be put in place so employees and contractors can only go where they are allowed and get to information that they are permitted to access. No one person, including those in IT, should have access to everything.
Just as a passenger or airport restaurant worker can’t arbitrarily enter a gateway, an employee or contractor should not arbitrarily be given additional access simply upon request. The request must require justification, and the need should be investigated and confirmed.
2. Policy and Enforcement
People know what to expect at airports: They must comply with airport security screenings or face the consequences. A company policy should convey a similar message—that unauthorized access to or copying of information is strictly prohibited. The policy should explain that when employees and contractors fail to comply, they could face termination of their employment or contractual relationship and lawsuits depending on how the information was misused.
Just as airport security escalates and enforces its security, organizations must put their policies into action by terminating employment of and contracts with violators, and by suing malicious insiders personally. Saying the organization will do something is not enough; enforcement is crucial to quashing ideas of information theft by a malicious insider.
3. Layered Approach to Security
Airports take a layered approach to security that involves screenings, government lists of known terrorists, physical pat-downs, locked doors, etc.
Organizations also can protect their data through a layered approach by using the multidisciplinary approaches of security, privacy, and information governance. Security controls and technology protect the perimeter from the outside world. Privacy dictates what information is collected and used within the organization. Information Governance handles policy-based control of information and the defensible disposition of information within the organization.
Using this layered approach of multiple information disciplines, an organization can prevent the majority of attempted information theft by malicious insiders.
Most employees are good hard-working people who want to do their jobs well, get paid, and go home. But, malicious insiders don’t wear signs that say “information thief.” Organizations must treat all insiders as potential threats at the beginning of their relationship by implementing the standards outlined above. If Sony had done this, perhaps Brad Pitt’s phone number wouldn’t be circulating on the Internet.
Lisa Berry-Tayman is senior privacy and information governance advisor at CyberScout Consulting.