Another one slips through the DLP net...

New York Fed contractor charged with stealing Treasury code – this story is yet another example of how organisations are failing to address the risk that ‘trusted insiders’ – in this case a contractor – can pose. In an age of terrorist hactivists, many organisations are rightly focusing their data security efforts on securing their systems from ‘external’ threats and the interception of data from outside their defence perimeter. However, increasingly data is - quite literally - walking out of the front door, with little resistance.

Tackling the insider threat can be a tricky task since it involves an organisation’s own staff. The majority of employees and subcontractors are of course trustworthy and so a total IT lockdown or a stop and search policy as they leave the building is neither practical nor appropriate. Besides, no matter what systems and processes a company has in place, if an ‘insider’ wants to steal data, there is a residual risk that they will find a way of doing so. Especially, considering we now live in a world of Cloud storage, Smartphones and high capacity USB sticks!

What is so common, as with this New York Fed example, is that the culprit had privileged access to the information as part of their role within the company and they abused that trust. What this highlights is that there are not enough deterrents to stop them from taking this risk. Any ‘insider’ considering data theft will be disinclined if they know that they are likely to be found out; either during the event (through real-time alert generation) or after the event (through forensic examination of user activity logs).

Empowering users with information, trust and an understanding of what data loss prevention and user activity monitoring tools are in place will make them understand that if they steal data they will be caught. More importantly, you need to educate staff that they have an important part to play in protecting the organisation from the threat of data loss. Following this approach will help staff understand that they need to treat company and client information with the same respect they have for their own.