In security we often preach that insider threats are generally the worst. When the attacker is one of your own the challenge to keep your systems safe becomes a lot harder. This is because you effectively tell your staff what checks and balances are in place and if you do not they can still figure out a way to get hold of such information. There is nothing to be done or that can be done about this; it is essentially just part of the dynamics that the security policy needs to handle.
Insiders do strike and sometimes they do get caught. In some cases the breaches are well thought-out and executed so well that is truly a wonder how security can still prevail. Let us consider the case of Matthew Kluger as reported by law.com. Matthew allegedly used his position at various law firms to gather insider information on various companies. He then shared this information with some alleged accomplices to carry out trading based on the inside details he had obtained. Reports said that Matthew allegedly made a total profit of $32 million from his scheme. Matthew managed to get away with this nefarious scheme for 17 years. The obvious question is ‘how does one do that’. The answer is that Matthew was very clever. Knowing that if he had to access these confidential documents directly an audit trail would have exposed his activity; instead he simply looked at the document titles. These gave him enough information on which companies were about to merge and other advance knowledge of events that would have an effect on that company’s stocks.
Let us focus on the specifics of Matthew’s alleged actions because what this person allegedly did is probably a prime example of why insider attacks are so insidious: how can we ever protect against an employee who attacks us by simply looking at the title of documents he has access to? Most of the time, the answer is you really cannot. The usual security recommendations cannot protect a company against this type of activity! Normal security controls will not prevent this type of attack and putting in any security controls that could detect such activity would be way too restrictive and excessive.
So how do we handle such a threat?
The first important aspect we need to consider is employee trust. It is inevitable that we need to trust employees that they will not take advantage of their position. We can put deterrents in place, we can put controls in place, but these will never be 100% effective. Most of the time, a company’s main target should be employee loyalty and maintaining it. Implementing too many security controls can at times have the opposite effect, alienating employees instead of bringing them on your side. Therefore, it is very important that a balance exists between maintaining security levels and keeping employee morale up.
Segregation of duties might also be helpful to reduce the risk. If employees depend on each other to get tasks done, segregation might make it harder for a malicious employee to hide their tracks.
Finally, a security policy can also be of help. If you are dealing with confidential data that is highly sensitive, have your security team periodically review the systems to ensure there have been no breaches or attempted breaches. To avoid prying eyes from gathering information from document titles, the policy could be used to establish document-naming guidelines that contain enough information for those with legitimate permission to access them whilst being useless to others unless they open the document (which would then create an audit trail).
There will always be an element of risk; it is impossible to be 100% safe from insider attacks however proper procedures and planning can reduce the risk significantly.