We’re asking one very important question here: How can you protect your business from the dreaded inside job?
Security experts speak in terms of "threat models," which are essentially all the various ways your system can be threatened, either electronically or physically. One of the most dangerous threat models in existence is a rogue insider, with deep technical knowledge of the system, giving in to the dark side.
We’re going to look at some measures you can take to protect your network and business from such internal threats – with some advice from industry heavyweight Fred Pinkett (a VP at Security Innovation). I grilled him for tips on how to build a layered security strategy that would limit the ability of a rogue insider to cause harm. According to Pinkett, a few key strategies exist to protect our core systems from this threat.
Strict separation of roles and duties
No single person should have access to everything. If you can afford more than a couple of IT admins, split duties evenly between them, and don't give any particular person or group full access and permissions to the entire network. This ensures that no single person has the ability to take the whole system down.
Base your judgment calls on how sensitive your data really is. If your budget is modest, and such that you can't afford enough IT folks to diversify the roles required, then you need to step back and take a bigger look at the importance of security for your business.
If you're housing credit cards and other sensitive data, you should consider outsourcing your IT duties to a firm that can afford to diversify roles, coughing up the cash necessary to run the operation safely, or not storing sensitive data within your unprotected system.
If you're housing less sensitive data, you may be able to live with the risk of all-powerful IT admins (just be sure to take them out to lunch on a regular basis).
Pay special attention to backup strategy
The person or people in charge of creating and storing backups should not be the same ones who run the network or handle application administration. Otherwise, the backups will be vulnerable during an attack, when they should be a potential lifeline.
Invest in strong security systems
The key to strong security is building out and defending layers in your network, and constantly monitoring for suspicious behaviour. Firewalls should be used to protect against outside threats; they can also be used to secure layers within your network. For more on layered defence, see our closer look at the security strategy of “defence in depth.”
Encrypt, encrypt, encrypt
All sensitive data should be encrypted, even if your database servers are sufficiently locked down or application communication is only internal and restricted to the network. If you're employing a tape backup strategy and you're pushing your tapes off premises, then think about the chain of custody. You're only as strong as your weakest link. Remember that accidents happen: What if the truck carrying tape backups of your customers' credit card numbers crashes, and tapes go flying everywhere? You'd better have that data encrypted.
Security is an ongoing operation
Once you've implemented these strategies, it's critical to remember that security is not a one-time project; it's an ongoing operation just like any other in a company. An audit of current operations should be executed regularly. Step through your defences, starting at the edge of your network and moving inward, and ask yourself: If a hacker compromised this layer of security, what would he or she have access to? The answers may surprise you.
The key here is that it's not just a matter of technical architecture: The people and the process are just as important. If you can conquer all three, you stand a pretty good chance of being able to prevent a rogue employee from wreaking havoc on your network and business.
While you're here, you might also want to have a read of our article which discusses IT versus physical security, and which is best for your business.