Data Security - A Lurking Threat from Inside

by Tabrez Khan    Feb 08, 2008

Enterprises today need reliable controls for safeguarding confidential information from external and internal threats and data leaks. Enterprises from sectors like BFSI are further required to notify individuals in case of breach of their personal records. Although companies adopt tough measures to prevent external data theft and any such breach or hacking attempt is promptly reported and punitive actions taken, internal data theft often goes undetected and unreported.

Insider theft is a problem that CIOs are extremely wary of, as it can be one of the most difficult problems to deal with. This kind of data theft can also be the most damaging to an organization. Employees, on-site contractors and off-shore vendors can be regarded as the weakest link in the information security chain and a likely threat to security of confidential data.

Preventing insider data theft can be a huge challenge for organizations. While employees have to be given direct access to crucial resources, ensuring misuse of such access is also imperative on the organization’s part. Data theft by employees can be difficult to prevent because they can circumvent physical and logical access controls within the organization.

According to estimates nearly 50% professionals take corporate data with them when they change jobs, by either e-mailing it to themselves or storing it on a peripheral device. In industries where majority of the data is confidential, such as in financial services companies, this kind of breach can do a lot of damage. Naturally the stakes there are high in safeguarding of confidential data.

While the above theft may not be intentional or at least not intended to be malicious, the threat from disgruntled employees can be. Such employees steal to cause damage, by selling crucial data to rival companies, revealing weaknesses in IT infrastructure and corporate security policy to competitors and media, and by corrupting or deleting confidential files causing downtime to systems that could severely hamper productivity.

Mobile storage devices and gadgets such as pen drives, ipods, PDAs and laptops are convenient tools to ship confidential data outside the organization. Although a lot of data theft may not be malicious, the impact of such theft can still be hurtful so preventive measures require the same kind of urgency as in the case of malicious threats. The thriving black market for stolen phone numbers, credit card numbers, and other confidential data just proves the extent to which data theft has become rampant.

Understanding why users circumvent security policies is imperative. In most cases it is done to speed up work. E-mailing documents to personal mail Ids, to work from home, is one instance, while turning off anti-virus agents to avoid annoying scans is another one. Also carrying important documents on a laptop is a threat as these mobile devices often get stolen or lost. Downloading games and software or accessing Internet for shopping, travel etc can also invite threats from viruses or malicious software.

To reiterate, there may not be a malicious intent involved in most data theft incidents but irresponsible behavior and unintended mistakes from users nevertheless can compromise network and data security to a great extent.