Insiders commit crimes for two reasons, CERT says: financial gain (as in the Certegy case) and business advantage (as in the DuPont case). In the latter, criminal activities usually start when the employee resigns, CERT says, but the thefts typically occur after they depart, having left secret access paths to the data they want.
Insider threats are among the hardest to manage, Semple says, especially when the workers use privileged access.
Eye-openers: A good precaution is to monitor database and network access for unusual activity and set thresholds representing acceptable use for different users, CERT says. That makes it easier to detect when an employee with a particular job designation does something beyond his normal duties. For instance, DuPont discovered the illegal activity because of the scientist's unusually heavy usage of its electronic data library server.
If you suspect that a breach has occurred, CERT says it's important to act quickly in order to minimize the chance of information being disseminated and to give law enforcement agencies a chance to start investigating the case.
Companies should also implement role-based access-control tools to maintain a high level of accountability over who is accessing valuable assets, Lazar says. Databases containing customer or employee information should allow very limited access. "How many people, on a daily basis, need to review Social Security numbers and addresses without permission?" he says. "Personal information should be protected at the same level as trade secrets."
Muller recommends using data loss prevention tools to restrict personal data from being e-mailed, printed or copied onto laptops or external storage devices. Some of these tools provide alerts that inform administrators when someone tries to copy personal data and create a log file of such an event. "In a lot of cases, companies don't have proper audit trails in place," he says.
It's also important to strengthen internal controls and audit measures by, for example, implementing iterative checks on network and database activity logs, Semple says. It's not enough to keep detailed logs; you also need audit measures in place to see if anyone has modified a log or illegally accessed it. "Unless there's some way to verify the log information wasn't tampered with, it's hard to know it's of value," he says.
But in the end, technology isn't enough. "You need to find a way to ensure users you trust are worthy of that trust," Semple says.