Company Profile

Historically, the removal of confidential information by company insiders has been difficult to prevent in real time and a challenge for security administrators to monitor closely. To estimate the returns from deploying countermeasures to this complex threat, an examination of the probability and impact of a potential incident is necessary.

The probability of a future event is undoubtedly influenced by intangible issues such as employee disgruntlement and intentions. Information can be lost accidentally or intentionally and regardless of the probability of either incident, the structured nature of an intentional data breach will often impact business operations more severely than an accidental one.
Considering that a large percentage of published information breach events involved more than one person’s involvement, peer monitoring may not be the answer. We believe that a reliable and objective approach is the automated, selective and discreet desktop monitoring of suspicious activities, as part of an acceptable usage policy agreement, using toolsets that have an established track record of reducing misidentification or “false positive” suspicious desktop operations.

The term “impact” is not the same as “damage” in the context of a data leakage event. If a data leakage event is discovered after the fact, concentrating solely on the immediate damage inflicted by the replacement cost of the asset is unlikely to offer the administrator or auditor any useful insight. In this area, “impact” is more accurately defined as “the sum total of all direct and indirect losses” associated with the loss including replacement costs, compliance penalties and less tangible loss of reputation effects.

Even if the impact can be quantified by estimating replacement costs and wider losses, this calculation alone makes fundamental assumptions about the information environment. After all, a lead-lined vault is more physically secure than the average office environment. Therefore the assessment of the risks must seek to determine the exposure factor presented by egress points – to evaluate where and how confidential data can be lost.

This assessment should include as wide a scope of devices and interfaces as possible. Printers, USB devices, web use, email, web-mail, messaging systems, screenshots and even FTP or similar outgoing network protocols may present high exposure factors to sensitive information. However it is not usually acceptable or practical to shut down these facilities for employees. These should be examined in terms of conspicuousness, capacity and transfer speeds to factor into the final exposure assessment. When an event is identified, it must be studied and forensically audited to identify not only the perpetrator but the extent of the breach and methods used. Only then can the information be acted upon to reduce the probability of a re-occurrence with countermeasures.

An evaluation of the impact of an event, the exposure factor presented by egress points and an estimation of the probability of an event should provide a useful basis for calculating current risks. Countermeasures can then be prioritised to protect the highest value assets with the highest level of exposure from various egress points. It is unlikely that any single system can cover all of the factors – the process of security administration has to encompass physical security. Preventing sales employees from removing the company’s customer database records via USB music players will only be effective if alternatives such as mobile picture-phone devices are monitored too. Therefore the security administrator should seek to assemble a risk register encompassing a wide range of computer desktop operations and physical information removal techniques.

Ideally, countermeasures need to offer an effective deterrent in the security management lifecycle. To achieve this effect, the control should give an element of real-time notification to the security administrator and possibly the user, so that as well as preventing the desktop operation that violates a security policy, any operations which are instances of what is often called “unobserved emboldening” can be intercepted as early as possible. Quickly identifying the source of a security policy breach from the violation alert may be critical if the user needs to be questioned before leaving the building.

Unfortunately for a security administrator or compliance officer, the only measurable success of a security control is the number of events that don’t happen. Unlike the field of intrusion detection, when an internal control is effective at reducing information leakage, the deterrent effect becomes part of the overall internal security awareness level in the office. A reduced number of violations enable security administrators to focus on newer employees to help them understand companywide controls to perpetuate the secured environment. This means that internal compliance targets can be addressed as a by product of managing the insider threat risk.

The most effective approach to security remains the layered approach, as each layer is breached, or indeed even if the user has the necessary authorisation, the next layer protects the more confidential information. Logging of events and monitoring of users for suspicious activities are critical for a comprehensive approach to data extrusion.