As far as Kerry Anderson is concerned, insiders are as big a threat to her company's IT security as worms and spyware -- perhaps bigger. And like malware, insiders come in many variants.
Kerry Andersonvice president, information security groupFMR Corp.
Anderson, a vice president in the information security group at Fidelity Investments Brokerage Company, explained the different types of insider threats and ways companies can address them at the MIS Training Institute's Annual Conference and Expo on Control and Audit of Information Technology in Boston last week. The best way to deal with any potential inside threat, she said, is to let everyone know Big Brother is watching them and that they can be fired for any security violation.
"Companies need to make it clear to their employees from day one that they are being monitored," she said.
Anderson has seen a variety of troublesome insiders in her career at Fidelity and other companies. There's the saboteur who tries to deface critical company data because they have an axe to grind against their bosses or fellow co-workers.
Then there's the sole living expert -- someone who has been around so long they think they own the network. They want everyone to be dependent on them, so they manipulate the network in a way to make other employees come to them to access certain pieces of data or perform certain network functions, Anderson said.
Anderson has also come across people who have what she calls the hero syndrome. They break something on the network so they can fix it and be seen as life savers.
"If something is breaking every three weeks and the same person is fixing it, I'd start taking a look at them," she said.
Whatever the insider's tactics or motives may be, Anderson said there are some common warning signs to look for, such as someone who isn't getting along with managers or co-workers and may be preparing to leave the company. If someone is leaving under unhappy circumstances, there's always the chance they could sabotage network data on the way out the door, she said.
Companies must also keep an eye on people who may start working hours when nobody else is around. Anyone who suddenly changes their normal work routine bears watching, Anderson said.
Companies must also be prepared to deal with people who create security risks without necessarily meaning to. If the network suffers a security breach because an employee was visiting seedy Web sites on company machinery, for example, there must be a plan for punishment.
"People need to understand that their computers are for business only and that they can be disciplined or even fired for using them for anything that isn't business related," Anderson said.
IT security professionals also need to watch for personal technology that could put the company at risk, she said. Cell phones with embedded cameras, for example, could be used to photograph and transmit sensitive data.
While these are important steps, Anderson acknowledged that companies can't prevent every insider-related incident.
"A lot of internal fraud goes unreported because it's embarrassing," she said.
If there is a security breach, companies must be honest about it and come clean publicly, she said. Otherwise, the company's reputation and the security of their customers could take a bigger hit later.