The Threat Within

Christmas is an expensive time of the year and with the recession and lack of pay rises in many companies, a lot of people are starting to feel the pinch. This presents a potential security threat to a company as people who are struggling may be tempted to look for other ways to raise extra money. Company data may become at risk of disclosure, such as a call centre worker selling customer information to a competitor to give them a competitive advantage or knowledge of when a re-occurring contract may come to an end. Malicious damage could be caused to systems and data or a delay could be caused to a project, which would benefit a competitor. Alternatively an employee may become frustrated with their situation and blame the company which may also lead to malicious damage being caused. The last consideration is that it may not be a sole employee who is looking to steal or cause malicious damage but there may be multiple people involved.

In addition to this threat there is a greater vulnerability at this time of the year as people start to wind down for Christmas and staffing is reduced to minimal cover. This could mean that if an employee is looking to steal or maliciously damage data it may be easier to do so than at other times of the year.

So what can be done about this? Firstly it is important to be aware of the risk and ensure it is considered throughout company management. The reduced cover for Christmas periods should include key senior personnel to ensure that activities being conducted are monitored. The HR and review processes should be practiced to determine individuals who are at a greater risk of this threat, for example if there is an employee with access to a lot of data that never takes time off and seems very unhappy, it could be that they are staying at work to ensure they cover their tracks. If there is an individual identified as posing a threat to the organisation, that individual should be monitored and system controls must be put in place.

System controls can be implemented to aid in protecting against this threat, such as ensuring all desktop machines are locked down and USB ports/CD writers cannot be used unless specifically authorised by senior management. Access to the internet can be restricted or removed and email messages can have a maximum message size applied such as 1mb. Segregation of duties should be considered in systems ensuring that there are approval points built into any system to make it harder for a sole individual to authorise activities, and accessing data en masse such as through a database should be kept to the minimum number of people necessary.

Lastly practicing good access control as always is a good idea, ensuring access to the systems is at a minimum level and account details are not shared will give a further layer of protection.