Many internal breaches go undetected -- not because of lack of clues -- but because other employees don't connect the clues quickly enough. Most of the giveaways revolve around human behavior -- an employee eager to work when there's no one else around, voicing dissatisfaction with the firm or its management, making veiled or direct threats, interfering with security or auditing tools, erasing logs, copying large amounts of data for no obvious reason, etc.
One of these clues in isolation is unlikely to arouse suspicion, but collectively, they are an obvious warning sign if exhibited by the same individual. Why does it seem that businesses are hesitant to report internal breaches to law enforcement?
The latest numbers from the Computer Security Institute suggest that while more than 80% of firms suffered a security breach, only a third actually reported it to the authorities. It's mostly to do with reputation protection. Taking a hit on your networks or data assets can be costly enough without adding the significant and undeterminable cost of a loss in customer confidence.
Businesses are justifiably worried about their reputation and their ability to protect themselves and their clients. Another factor is liability and the risk of lawsuits if it turns out that the security breach was facilitated in some way by poor or non-existent security controls.
I think that it's very important we know as accurately as possible the number and nature of the attacks, and I think the only way to encourage that is to remove the fear of public embarrassment of reputation damage by going public with this. So, I think some form of anonymous reporting is absolutely vital.
I think that sharing of knowledge is very important. Just as important as reporting an incident is discussing how the incident was managed, how the response was managed, how effective the response was, the financial cost of both the incident and the response to it.
I think it's also a form of deterrence. Employees must realize, first of all as the culprits, that they can face discipline and perhaps even a criminal charge. Fellow employees must also understand that they have a role in reporting those activities that could lead to a breach. What everyday practices can companies put in place to minimize the risk of internal breaches?
There are a number of measures every firm should take to minimize the risk of internal security breaches, including:
- The creation of a comprehensive and understandable security policy that will help determine whether action can be taken against the suspect or perpetrator.
- Properly designed employment contracts that will also help with this decision.
- A regularly tested incident response plan should minimize losses and help preserve vital evidence.
- Keeping backup copies of all logs to make them more valuable in court.
- Teach employees how to recognize and report signs of security breaches by fellow employees.
- Familiarity with the investigative process to help avoid investigation and evidence pitfalls.
There are a number of factors that will influence the first step a firm takes if it suspects an internal security breach. If an incident-response plan is in place, it should dictate each step in the response. The company will need to determine whether the breach constitutes a crime, or is simply a breach of internal company policy or the employee's contract. The firm will also have to consider whether the breach or loss is significant enough to warrant an investigation, criminal charge or internal discipline.
Other factors include whether the breach is a crime in progress, or has already been committed. Either way, the first action should always be to activate your well-practiced incident response plan.
If the crime is still in progress, you have a clear opportunity to gather damning evidence, which must be weighed against the danger of letting the crime continue. Talk to your lawyers immediately to confirm that the behavior or actions constitute a crime, or at least a breach of security policy or employment contract.
Contact your local FBI office for advice (there's one in every major city), and also contact your local law enforcement if they have any jurisdiction. Monitor the suspect's activity and record everything - use keystroke recording, preserve all log files, try to restrict access privileges, etc. without arousing suspicion.
If the crime has already been committed, it's still vitally important to preserve every shred of evidence (logs, etc.) and establish chain and custody of evidence. You'll also need to contact your lawyers immediately, and if they advise it, obtain a temporary restraining order against the employee. You may also have to remove all access privileges, change passwords, etc.