The enemy within — and how to beat it

Improper use of data by employees with legitimate access is a serious security risk. Jaikumar Vijayan reports

A recent case in which an employee at Progressive Casualty Insurance wrongfully accessed information on mortgagee sale properties she was interested in buying highlights the dangers posed to corporate security by insiders.

The Ohio-based insurance company has confirmed that it sent out letters in January to 13 people informing them that confidential information, including names, social security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired.

Company spokesman Michael O’Connor says officials were alerted to the situation when a local woman complained about receiving calls from a Progressive agent inquiring about her house being under foreclosure.

“What happened was that the former employee, who purchased foreclosure property, wrongly used the information in a real estate database,” O’Connor says. Although there was no actual hacking involved to get at the data, her actions constituted a violation of Progressive’s code of ethics, O’Connor says. “We investigated the situation, the employee was terminated and we alerted the people whose data was accessed.”

Such incidents underscore the threat posed to corporate data by malicious insiders and by workers who accidentally leak sensitive information, says Phil Neray, a vice president at Guardium, a vendor of database security products. “Most companies have done a good job with perimeter security,” he says, but are now finding out they need similar controls internally.

The trend is behind a growing need for tools that help companies monitor, detect and audit all activity going on inside networks, databases and applications, he says.

One such tool, from vendor Reconnex, has been helping Sirva, a provider of relocation services, with more than 7,000 employees worldwide, keep tabs on its intellectual property and other sensitive data, while the company goes through a series of divestitures.

“One of the things that happens after a divestiture is that people take the stuff they are working on to their new companies,” says Chuck Shmayel, vice president of infrastructure and security at the company. Reconnex’s appliance sits at Sirva’s network-egress points in each of its four datacentres and monitors traffic to ensure that confidential information doesn’t exit its networks, either by accident or design.

“As a relocation service, we handle a lot of confidential information on behalf of our customers, and we want to make sure it’s protected,” Shmayel says.

Implementing specific controls for monitoring what’s flowing out of enterprise networks can go a long way towards mitigating against accidental and deliberate data leaks, says Mark Moroses, senior director of technical services at Maimonides Medical Centre.

As an entity covered by the US Health Insurance Portability and Accountability Act, Maimonides is required by law to have controls for securing protected health information (PHI). The hospital is using Reconnex’s appliance to detect PHI leaving its networks in an unauthorised fashion, Moroses says.

“From our point of view, the insider threat comes from people either knowingly or unknowingly damaging our reputation” by leaking sensitive information, he says.

Patients go to the centre for AIDS or pregnancy tests — something they don’t want to share with other people.

“A patient is not going to come to our hospital if they think we are not doing everything to protect their information. So our reputation is paramount because it affects our bottom-line business.”

Join the newsletter!

Error: Please check your email address.

Tags managementinsidershacking

Show Comments
[]