Beware Of The Threat Within — Protect Your Data.

Online hackers generally target financial institutions, major retailers and anyone holding large amounts of consumer data (i.e. credit card companies). Every few months some major corporation is the victim of a data security breach. Whether the thief gets ahold of sensitive consumer data or sensitive internal data, the companies cry foul, promise to investigate and hold those accountable and work to rebuild consumer’s trust.

So are Fortune 500 companies the only ones under attack? Should a $20 – $60 million company with very little sensitive consumer data, if any, really worry about being a target? Beyond protecting internal computers with anti-virus software and some sort of network firewall, is there really any cause for concern?

INTERNAL THREAT

Perhaps the threat is closer than imaginable. Disgruntle employees, employees joining competing companies and those opening up their own competing companies are all threats to an existing business.

For those who think they have nothing worth stealing. Think again.

Long before computers became the storage house for company data, a manager of a Chicago sales office for a national printing company came in to find a resignation letter on his desk from his top sales person. That same morning, his admin told him that one full box of copy paper was gone. Within two hours, the remaining sales reps noticed someone had rooted through all of their customer files, taking out job samples. The copier recorded a 5,000 copy jump from Friday night to Monday morning. The guy who left started his own printing brokerage and there was no way to definitively prove he took information on every single account managed by that sales office. He left his sales achievement awards in his abandoned cubicle.

Nowadays, that same theft would take an hour or two inside a company’s Sales CRM software tool and would leave the building in something as small as a thumb drive.

There are more secrets within a business than are known and recognized. What could the competition do with the knowledge of another company’s sales figures? Financial statements? Strategic plans? R&D results? Sensitive executive email conversations? Contracts? Supplier lists? A lot of damage.

CONDUCTING AN INTERNAL INFORMATION SECURITYAUDIT

Internal threats are real and impact every size company. Therefore, it’s important to know what type of information is being accessed, by whom, and for what purpose. Many companies integrate hierarchies within their various data access points. This includes physical access into areas such as the company’s IT server room, file storage rooms, etc.

Internal threats are real and impact every size company. Therefore, it’s important to know what type of information is being accessed, by whom, and for what purpose. Many companies integrate hierarchies within their various data access points. This includes physical access into areas such as the company’s IT server room, file storage rooms, etc.

To some, this may sound like overkill, especially for a small to mid-size business. But after an initial incident, that’s when opinions change.

An internal information security program should start with the CIA triad. The CIA triad is referring to Confidentially, Integrity and Availability of data. All sources of data should be evaluated and classified within the triad.

“Confidentiality” means the assets of a computing system are accessible only by authorized parties.

“Integrity” means that assets can be modified only by authorized parties or only in authorized ways (i.e. A sales person cannot delete a client from the CRM database, however a sales manager can). In this context, modification includes writing, changing content, changing status, deleting and creating.

“Availability” means that assets are accessible to authorized parties. An authorized party should not be prevented from accessing objects to which he, she, or it has a legitimate access need. For example, a security system could ensure perfect confidentiality by preventing everyone from reading a particular object. However, that solution would not meet the requirement of availability.

Along with the fundamental basis of the CIA triad, a security program must start with the proper policies and have input from senior leadership.

COMPONENTS OF AN IT DATA RISK AUDIT

There are four overarching components to performing an internal IT Data Risk Audit. The first is data classification (addressed with the CIA triad). The second is management controls, concentrating on the controls that management is directly responsible for. The third is operational controls, which are the day-to-day operations of systems and those that a human is most likely to interact. The fourth is technical controls, which are usually automated computer programs which apply the controls.

  1. Data Classification
    1. CIA Triad: Confidentiality, Integrity, Availability
  2. Management Controls
    1. Risk Management
    2. Review of Security Controls
    3. Life Cycle Enforcement
    4. Disaster Recovery/Business Continuity Planning
  3. Operational Controls
    1. Personnel Security
    2. Physical Security
    3. Documentation
    4. Security Awareness/Training
    5. Incident Management
  4. Technical Controls
    1. Identification and Authentication
    2. Logical Access Control
    3. Audit Trails, Monitoring and Logging

Each of the subsets beneath the four overarching components above can be further extrapolated in terms of what a Data Security Analyst would be auditing. For example, here are the different subcomponents and elements to audit for Personnel Security and Physical Security under “Operational Controls”:

Personal Security:

  • Training & Awareness
  • “Need to Know”/least privilege
  • Review of logs, Policy and Procedures
  • Background Checks Performed

Physical Security:

  • Layered Access/Physical Protection
  • Keypads/Badge Access
  • Access Control Log/Log Audits
  • Training/Awareness
  • Video Surveillance

Whether hiring a Data Security Officer or a consultant from outside the company to audit and maintain data security protocols, it’s important to make sure they have been certified by a reputable organization, such as the Certified Information System Security Professional (CISSP) organization.

Next to the people in your organization, your data is your second most valuable asset. Keep it protected.

Tony Streeter is the Chief Marketing Officer, SVP at Y&L Consulting, Inc. in San Antonio, Texas. Mr. Streeter has led new product development, Ecommerce marketing, and integrated platform marketing initiatives for major companies such as Harland Clarke, Deluxe Corporation and RR Donnelley. Currently, Mr. Streeter leads marketing and branding initiatives for Y&L Consulting, a comprehensive IT Services & Solutions company specializing in IT Development, Information Management/BI, and Service Desk Services.