Data breaches more likely to come from within

There has long been a view, perpetuated in part by Hollywood’s ridiculous portrayal of hackers, that the biggest threat to corporate IT systems comes from highly skilled, motivated computer experts bent on breaking into any protected network they can find.

It is easy to see why the danger of hack attack is once again front of mind for IT managers. We were still reeling from some of the biggest data breaches in corporate history when, in April, hackers minced Sony’s IT security and waltzed off with the passwords and account details of 100 million or so of its customers. The Sony breaches follow several similar high-profile data losses suffered by online service suppliers, including Play.com and Lush.

Despite these high-profile attacks and the Hollywood hype, hackers are not the biggest threat facing corporate IT security systems. That has, and always will, come from the enemy within. The fact is, companies are far more likely to suffer at the hands of their own malicious or incompetent staff.

An interesting case in point came up in April this year when a US Food and Drug Administration chemist was charged with insider trading. The individual, who had access to confidential drug approval data, began buying shares in companies that developed approved drugs before news of the approvals went public. The motive was clear: it is estimated the chemist trousered $3.6m (£2.2m).

Remember the recent leaking of sensitive US government documents to WikiLeaks? The list of documents is in the hundreds of thousands, with more than 76,900 documents about the conflict in Afghanistan, followed by a tranche of almost 400,000 documents about Iraq. We would hope the world’s superpower would have started to get its data house in order, but no. At the end of last year, WikiLeaks began releasing sensitive US State Department diplomatic cables before thrusting the knife into Washington in April, with the publication of some 800 secret documents relating to Guantanamo Bay prisoners.

Beyond the obvious revenue loss and reputational damage arising from data breaches, there are legal sanctions that are becoming ever-more stringent, as bodies such as the UK Information Commissioner’s Office (ICO) work to drag data protection legislation kicking and screaming into the internet age. The ICO has recently been granted extended powers to fine organisations up to £500,000 for serious data breaches. In the past, it was only allowed to give them a mild telling off. And information commissioner Christopher Graham is calling on parliament to pass laws allowing serious breaches of the Data Protection Act to be punished by a two-year prison sentence.

Tech security company Imperva advises that organisations need to enforce access controls, where access is granted only on a business need-to-know level. It is also vital to eliminate excessive privileges. Additionally, it is necessary to provide the proper access auditing tools to datacentres. These auditing tools should monitor who accesses what data. Its advice goes on to suggest that once access control lists have been devised across the organisation, an automated process could learn the behaviour of an individual and construct a profile based on certain parameters. These need to address questions including what data was accessed, whether it was necessary to perform the job, how many times a file or a certain database table was accessed and how much data was viewed or removed. Any deviation from this profile, or any access above a certain threshold limit, should raise an alarm.

The stakes have never been higher and they are getting higher all the time. Organisations simply cannot get away with playing fast and loose with sensitive data. The same vigilance that has long been practised by IT departments to batten down the hatches against external threats now needs urgent augmentation to address the enemy within.

Robert Jaques is a leading commentator on technology issues