How HR Can Stop Insider Data Theft

After Edward Snowden’s escapades, how could any company fail to take simple measures to reduce its exposure to insider data theft? Yet large enterprises remain all too vulnerable to insider threats, as evidenced by the Morgan Stanley breach. And many small and medium-sized businesses continue to view insider data theft as just another nuisance piled on to a long list of operational challenges. “I suspect too many companies are fixated on outsider threats, like malware infections and external hacking, to the extent that insider threats get overlooked,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET. More: 3 steps for figuring out if your business is secure A low-level Morgan Stanley financial adviser with sticky fingers allegedly tapped into account records, including passwords, for six million of the Wall Street giant’s clients. He got caught allegedly attempting to peddle the stolen records on Pastebin, a popular website for storing and sharing text files. The financial services sector has long been very proactive defending against all forms of data breaches for obvious reasons, and Morgan Stanley was able to nip this particular caper early on. Big banks and investment houses typically have highly trained teams, using a variety of detection tools and monitoring regimes designed to flush out any indication of a breach. “Often you have analysts in a security operations center hunting for abnormal activity,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “They can often spot suspicious data movement based on quantity, destination or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.” Organizations outside of the financial services industry, however, are still on the lower end of the curve understanding this exposure, much less taking even basic steps to reduce it. Given the nature of the exposure, security and privacy experts say human resource officials need to be on the front lines of mitigating insider data theft. In particular, HR department heads should be integrally involved in working with a company’s tech and security teams to define and deploy access rights to sensitive company data. “With this collaboration and the right tool sets, companies can apply access controls that restrict employees to just the information they need to perform their jobs,” says Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. (Full disclosure: IDT911 sponsors ThirdCertainty.) It’s a balancing act, of course. Quick and flexible access to company records drives productivity gains. At the same time, it creates fresh opportunities for granting unnecessary access privileges — and for theft. “Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage,” says Steve Hultquist, chief evangelist at security analytics firm RedSeal. “Using automation to analyze and ensure compliance with a security policy is essential for protecting customer and corporate data assets.” There should also be a structured process for communicating changes quickly to ensure that a terminated employee or departed contractor does not retain access privileges, Coffman says. “Many of the inside attacks are IT employees with elevated privileges and little oversight on how and when those privileges are used,” Coffman says. “The use of privileged accounts should be monitored and logged. Separation of duties should be required on certain functions, and an annual outside review is a good idea.” Cutting off terminated employees and partners should be swift and sure. Better safe than sorry. “Too often, organizations don’t have a complete picture of what access each employee has, particularly if they have been there a while,” ESET’s Cobb says. “Getting employee departures right involves a coordinated effort from HR, IT and legal.” A disgruntled employee, who’s not planning on going anywhere, is another type of exposure that should be addressed. American Banker is now reporting that the alleged perpetrator of the Morgan Stanley breach was promoted to financial adviser from sales assistant about a year ago and gained access to records by manipulating the bank’s wealth management software. The lawyer representing the accused adviser insists in the American Banker report that his client did not post any of Morgan Stanley’s data on Pastebin. “All managers need to be aware of morale among reports, and there needs to be a process for taking concerns to HR in a discreet way while increasing monitoring of use of IT resources,” Cobb says.