IT executives are responsible for creating policies that specify the appropriate use of technology within a firm. Policies provide employees with technology do’s and don’ts, but policies alone cannot stop an accidental or malicious insider. Technical controls and reports on the technology are the key to effectively prevent insider threats. Without controls and reports, firms are only protected by the paper that the policy is written on.
Many firms outsource their IT to a provider. The IT provider is expected to maintain up-to-date firewalls, server and endpoint anti-virus, email security, and monitoring of the infrastructure devices. All of these devices generate tons of data that are necessary for the provider to maintain the systems, but some of the data has added value. A good IT provider uses this data to protect the platform; a great IT provider uses this data to protect the platform and puts the relevant data in the hands of the customer to make security decisions.
Before firms can make effective security decisions, they need to know what they are protecting. Data classification policies help define the sensitivity of data, but that data can be widely dispersed. IT providers should have a solution to scan the firm’s storage and report on sensitive data locations.
With the location of the data and a report on user permissions, firms can make decisions to enforce least privilege access to the data. It is also a good idea to delete data that is not necessary for business or retention requirements. If you don’t have it, it can’t be stolen.
Locking down sensitive data is the first step. Firms should inquire about an IT provider’s technical controls and reporting capabilities:
- User Authentication Report - This shows the firm if a user is logging in from strange locations or odd hours. This may indicate account compromise or a malicious insider.
- File Access Report – This shows the firm what users are accessing and with what frequency. An unexplained increase in file activity may require further investigation.
- Software Report – This shows the firm what applications are installed across the user base. Unapproved software like ftp and p2p can be identified for removal.
- Hardware Report – This shows the firm what devices are connected to the corporate network. Unknown devices can be tracked down and removed. The IT provider should be able to restrict devices that are able to connect to the corporate network. All other devices should be connected to a guest network that is segregated from corporate data.
- Firewall or Internet Report – This shows the firm if there are abnormal data transfers to external sites. Firms can make security decisions to block access to certain services like cloud storage, social media, and personal email. Users can connect personal devices to the guest network for personal email.
- Anti-virus Report – This shows the firm which users are prone to receiving malware. This information can be used to provide the user with additional security awareness training and target phishing campaigns.
- Disable administrative rights and USB drives – This limits what an accidental or malicious insider can do within the corporate network.
- Enable Multi-Factor Authentication and Single Sign On (SSO) – IT providers with this capability are a huge security benefit for firms. SSO helps a firm manage external accounts for their employees. Disabling a user’s account with the IT provider will also disable the account with other third party services.
Firms cannot solely rely on the IT provider’s security to prevent insider threats. The firm needs to be involved by reviewing the available reports and approving the technical controls needed to prevent accidental or malicious insiders. When the firm and IT provider work together to develop reports and controls,everyone’s security benefits.
Contributed by John Carbo, director of information security at Abacus Group.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.