Protect Yourself Against Rogue Employees

You have problems. The annual report spreadsheet has disappeared from a server. A virus is loose in company e-mail. Someone has access to the network through some kind of back door. Those are big problems.

The natural reaction is to suspect the dark legions of black hat hackers, but the truth might lie closer to home. In fact, the computer crime survey annually produced by the Computer Security Institute and the FBI has consistently shown that network security risks are as likely to originate inside the firewall as without. In other words, rogue employees can often be an organization's biggest enemies.

"Just about every company has experienced some kind of data loss or interruption incident because of the actions of an employee," Info-Tech Research analyst Carmi Levi says. "Whether it's inadvertent or malicious, the result is the same. It doesn't matter how it came to be, the fact that it came to be is the problem."

For all of the chaos a rogue user can cause within an organization, Levi says that it is wrong to equate rogue behavior with malicious intent. "The typical definition of 'rogue' definitely has negative connotations," he says. "People assume that it's someone who has nefarious intentions. But 'rogue' includes unintentional actions, and I'd suggest that the unintentional rogue activities are a greater risk to the organization, and represent a much more common problem."

Moreover, while employees who are out to get a company invariably have an identifiable agenda, whether it's the theft of corporate secrets or compromising specific business process, and usually have some kind of consistent modus operandi, the guy in marketing who deletes the budget due to negligence can be much harder to track down. Unintentional rogue behavior is random and thus much harder to plan for."Martha in accounting who doesn't have the training can do much more damage without intending to than the person next to her who has been scheming against the company for the last three years," Levi says.

With that in mind, the best way to prepare for rogue employees is simply to expect the worst, and try to cut the worst problems off at the pass. Although security professionals have been preaching the same three elements of a successful internal security regime for as long as there have been networks, Levi says that the only way to protect a network form the inside is to nail down security policies, training and monitoring.

"You need to have terms of use documentation for just about every major technology platform that you deploy to end users," he says. "You have to cover workstations, laptops, voice over IP (VoIP) phones, cell phones, Blackberries and what have you. That way, it's all in black and white, and you have your employees sign off on it, so you know that they know the rules."

It is vitally important to document expectations for system use, Levi says, "because you can't come to the user after the milk has been spilled." More importantly, a clear and detailed system use policy can motivate employees to use the company and network assets responsibly and, not incidentally, limit liability. If someone does go over the line, that line is drawn in black and white and not in shades of grey.

However, acceptable use policies are completely ineffective if users aren't trained to use the organization's systems properly. This is particularly true in view of the recent proliferation of new computing devices from blackberries to VoIP soft phones. "You can't deploy a complex new technology to your employees and expect them to know how to use it right out of the box," Levi says. "That's particularly true of VoIP and some of the newer network technologies that haven't yet become ubiquitous. It's complicated enough with technologies that are ubiquitous. Imagine how difficult it is with things like soft phones and network applications that many employees just don't have any experience with it."

Lack of training can open the door to inadvertent rogue behavior because users are overwhelmed with all of the devices, bells and whistles on their desktops, but complexity can also open organizations up to malicious actions from within. The proliferation of new technology might enable business processes in exciting and efficient ways, but it also increases the number of potential points of attack."You need to recognize that something is occurring when its occurring," Levi says. "You need to monitor systems and generate alerts, so you can respond in a timely fashion. That won't stop things from happening, but it will minimize damage and limit the time of exposure."

Effective monitoring requires a combination of tools and procedures. Organizations need the technology in place to monitor for and identify rogue behavior, but they also need to have the process and creativity to respond when something happens. Levi points out, for example, that a car alarm is great anti-theft technology, but how many times have you heard an alarm go off all night without anyone responding to it? Does it stop because the owner has turned it off, or because the car has disappeared to a chop shop?

As often as security professionals have repeated these rules, thorough preparation for internal network threats is still the exception rather that rule. The problem with common sense, after all, is that it isn't that common, Levi says. "I keep hearing from people that data loss is happening and workflow is interrupted not because of technology failure but data failure and user failure," he says. "So it keep happening. If you haven't been hit yet, and you're not paying attention, it's only a matter of time before you will be."