Mobile devices

5 Steps for Developing a Successful BYOD Environment

Employees are using their personal smartphones, tablets, and other mobile devices for work much more often these days. This trend even has a name – “BYOD” (Bring Your Own Device). Gone are the days when employees were willing to carry a personal phone and a work phone, for example. In fact, industry research firm Gartner predicts that there will be twice as many employee-owned devices used for work than organizationally-owned devices by 2018.

But properly managing employee-owned devices in an organizational environment has become a real problem. According to a 2014 security report published by Check Point Software Technologies, 95% of the 700 IT professionals surveyed said they’re facing challenges with BYOD at work.  If your organization is facing similar difficulties, here are five steps to successfully develop your own BYOD environment:

1. Develop a BYOD Framework

A BYOD framework addresses issues such as who is allowed to use their personal devices, what devices may be used, and how support for those devices will be accomplished.Before you develop a BYOD framework, your organization should first perform a cost-benefit analysis to determine the basic requirements.

Once the requirements are determined, a framework should be laid out with the assistance of your IT and HR staff, legal and financial advisors, regulatory teams, and any other group that needs to be involved in the BYOD decision-making process. Certain industries, such as the health care industry and financial industry, have additional regulatory restrictions on mobile devices that also affect employee-owned devices used for work.

2. Establish BYOD Policies

The BYOD framework provides a high-level view of the BYOD environment. The BYOD policies fill in the details.

Within the policies, it’s important that you explicitly define what employees can and can’t do when using their personal devices for work. List any applications required to be on employee-owned devices, as well as any applications prohibited for security reasons. The policies should also document how the IT department will support employee-owned devices and how they will be secured.

3. Use MDM Software

Sometimes employees lose their personal devices or have them stolen. To protect your organization’s data, you can require that employees install Mobile Device Management, or MDM, software on their devices. That way, if an employee-owned device is lost or stolen, the MDM software can destroy the work-related data (leaving the personal data intact) or reset the device to factory settings, thereby wiping out all organizational and personal data. Optionally, you can even have the software wipe out the device’s contents completely, making the device useless.

MDM software typically requires authorization from the device owner. In general, it’s a tough sell, as employee-owned devices are just that: employee-owned. Clearly stating the pros and cons of such software can help alleviate concerns and encourage adoption.

4. Use NAC Tools

With Network Access Control, or NAC, tools, you can enforce arbitrary network access policies. These tools were historically used to guarantee the health of a given device before granting it network access, so enforcing BYOD policies is a natural next step.

Modern NAC tools can detect types of devices, or even identify unique devices. This capability lets NAC act like a gatekeeper, allowing only those employee-owned devices that meet the BYOD policies into your network. For example, you can allow or deny access based on the type of mobile device or the employee’s job function.

5. Educate Employees

A successful BYOD environment depends on the cooperation of employees. You’ll need to inform them about the BYOD framework and policies, as well as the use of MDM and NAC tools.

Employees should also be educated on security risks and basic precautions. Teach employees how to create strong passwords and warn them about security threats such as phishing. In addition, you’ll want to discourage sharing of any policy-covered devices with friends and family.

Conclusion

BYOD is here to stay. With the right steps towards a BYOD environment, you can boost employee productivity while addressing any security concerns. For help in developing your BYOD environment, contact us.

Fingerprint

Is Using Fingerprint Authentication a Good Idea?

The U.S. government recently announced that 5.6 million fingerprint records were stolen along with other valuable data from the breach they publicized earlier this year. Since many of your clients have iPhones that use fingerprint scanning for security, they may be wondering what could happen if their fingerprint data was stolen.

With fingerprint authentication, you do not need to remember and enter a password to access a device. You just place your finger on a fingerprint scanner. If your fingerprint matches the scanned image on file, you gain access.

More and more devices are using fingerprint authentication, including smartphones and notebooks. But is using fingerprint authentication a good idea? To answer this question, you need to know how fingerprint scanners work, along with their advantages and disadvantages.

How Fingerprint Scanners Work

No two people have the same fingerprint. Even identical twins have different fingerprints. Thus, fingerprints can be used for identification purposes.

There are two main types of fingerprint scanners: optical and capacitance. Optical scanners use charge-coupled devices (CCDs) to get a fingerprint image. They work a lot like traditional scanners. Capacitance scanners use electrical current to obtain fingerprint images. Their images have a higher degree of fidelity than the images made with an optical scanner. Plus, capacitance scanners require an actual fingerprint shape to work, making it harder to fake fingerprints.

Most optical and capacitance fingerprint scanning systems do not compare the entire fingerprint when checking a fingerprint against the scanned image on file. They compare specific features of the fingerprint, which are known as minutiae. They use complex algorithms to recognize and analyze minutiae patterns.

All the minutiae patterns in the fingerprint and in the scanned image on file do not have to match for fingerprint scanning systems to allow access to devices. They simply have to find a sufficient number of minutiae patterns in common. The exact number depends on the programming in the fingerprint scanning system.

The Advantages of Fingerprint Authentication

Fingerprint authentication has several advantages over authentication systems that use passwords, personal identification numbers, or access cards. Here are some of the most noteworthy advantages:

  • Users cannot create weak fingerprints or forget them.
  • Users cannot misplace their fingerprints.
  • Criminals cannot guess a fingerprint pattern.
  • If a mobile device using fingerprint authentication is lost or stolen, its contents cannot be easily accessed.

Because fingerprint authentication is convenient for users but not criminals, many device manufacturers are beginning to use this type of authentication. For example, the iPhone 5S and newer models use capacitance scanning to provide fingerprint authentication.

The Disadvantages of Fingerprint Authentication

Fingerprint scanning systems are not infallible. Optical scanners cannot always distinguish between a high-resolution picture of a finger and the finger itself. Even capacitive scanners can sometimes be fooled by an artificial fingerprint. There are documented cases where fingerprint scanners have been duped with fingerprints lifted from glasses, CDs, and other items. The process is time-consuming and requires a lot of expertise. You first need to enhance the fingerprint and get a high-quality digital image of it. You then need to turn the image into a mold in which you can pour gelatin or silicon to make the fake fingerprint.

Already having a digital scan of a fingerprint would make the process easier and less time-consuming, potentially making it more lucrative to criminals. In September 2015, they learned that their fingerprint scans were stolen during the U.S. Office of Personnel Management (OPM) data breach that occurred earlier in the year. The OPM data breach was massive.

Federal experts believe that the ability to misuse fingerprint data is currently limited, but this could change over time as technology evolves, according OPM Press Secretary Sam Schumach. A group with expertise in this area will be reviewing the potential ways adversaries could misuse fingerprint data now and in the future.

This group’s activities will likely give little comfort to the 5.6 million federal employees who had their fingerprint scans stolen. While passwords, personal identification numbers, and access cards can be changed, fingerprints cannot be. As a result, they will likely have to worry about becoming victims the rest of their lives.

“While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread,” said Tim Erlin in an eSecurity Planet interview. Erlin is the director of IT security and risk strategy at Tripwire. “Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.”

One way the 5.6 million federal employees can protect themselves at home is to use more than one type of authentication to access their devices. This is referred to as multifactor authentication.

Using Multifactor Authentication Is Best

With multifactor authentication, you use two or more types of credentials to access a device. The main types of credentials are often described as:

  • Something you know. Examples include passwords and personal identification numbers.
  • Something you have. Examples include access cards and fobs.
  • Something you are. Examples include fingerprint and retinal scans.

Using fingerprint authentication with another type of authentication can provide a high degree of security. For more information about using multifactor authentication, talk to your IT service provider.

iPhone 5

Widespread Apple Device Vulnerability Exposed

Apple Security Update!

Apple has revealed a very serious flaw in the way its iOS devices (iPods, iPads, iPhones) handle secure connections, specifically when your device is connecting to a server via SSL (“https://”) or TLS connections. This vulnerability, just revealed and patched by Apple last Friday, allows for an attacker to create a “man in the middle” situation to simulate that your device is connecting to a particular site when in fact you are not.

According to security reporting site Arstecnica, “At this early stage, the vulnerability has been confirmed in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1, meaning it has silently exposed the sensitive communications of millions of people for weeks or months. Security researchers haven’t ruled out the possibility that earlier versions are also affected. Readers should immediately update their iPhones and iPads to versions 7.0.6 or 6.1.6, preferably using a non-public network.”

The flaw affects SSL and TLS connections. Supposedly, Chrome and Firefox browsers are not affected by this flaw, but Google security engineer Adam Langley has set up a test page to validate whether your browser is vulnerable (we have verified that it is not malicious).  If your browser takes you to that page without an error, your browser is vulnerable. (Keep in mind some corporate firewalls may not allow this connection through either because it uses a nonstandard TCP port number.)

If your device is vulnerable, avoid using public WiFi and update your device as soon as possible.

Network diagram image

Managing Malware Threats on Your Web Servers

IT managers and security professionals are increasingly worried about targeted malware and its effect on business operations for their enterprise web servers. However, according to a recent survey by security firm Bit9, these professionals are decreasingly confident in their ability to identify and stop such security threats.

Bit9’s server security survey found that targeted malware attacks are the top server security concern of 52 percent of respondents (all 966 respondents are IT and security professionals), up 15 percent from the prior year.

Twenty-five percent of survey respondents said their servers were attacked in 2012, up 8 percent. Twelve percent of those surveyed ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. Forty-three percent of respondents use more than one full-time employee to manage server security.

These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources-before they execute-while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers-both physical and virtual-is to allow only trusted software to execute and prevent all other files from running.”

Besides the obvious idea of installing anti-virus/anti-malware software on your web servers, here are some other ideas for securing them:

1. Remove services you are not using

Default operation system installations and configurations are not secure because many unnecessary network services are installed, such as remote registry services, print server services, etc. The more services running on an OS, the more ports will be left open for malicious users to enter. So, disable unnecessary services so that the next time the server is rebooted, they are not started automatically.

2. Patch, patch, patch

Make sure you enterprise web platforms and Content Management Systems (CMSes) are kept up-to-date. Open source platforms are very often well-maintained in terms of security vulnerabilities. Monitor the blogs and/or vendor announcements for availability of new patches. Ensure that you have a way to test patches for your systems and that you have a regular patch cycle. Be prepared to patch more often should immediate remediation be required. date maintainedMost enterprise web platforms Default operation system installations and configurations are not secure because many unnecessary network services are installed, such as remote registry services, print server services, etc. The more services running on an OS, the more ports will be left open for malicious users to enter. So, disable unnecessary services so that the next time the server is rebooted, they are not started automatically.

3. Secure remote access

Whenever possible, server administrators should login to web servers locally. However, if remote access is needed, make sure that the remote connection is secured properly by using tunneling and encryption protocols (e.g., VPN). When possible, restrict remote access to specific accounts only, and make sure that old accounts are disabled when no longer needed.

4. Server-side scripting and web application content

Keep web application or website files and scripts on a separate partition or drive other than that of the OS, logs, and any other system files. Hackers who gain access to the web root directory are able to escalate their privileges and gain access to data on the whole disk, including the OS and other system files.

5. Keep development, testing, and production environments separate

It is easier and faster to develop a newer version of a web application on a production server, so it is common to develop and test an application directly on the production servers themselves. Therefore, it is also common on the Internet to find newer versions of a specific website, or some content which should not be available to the public, in directories such as /test/, /new/, or other sub directories. These applications are in their early development stages, so they tend to have vulnerabilities. To avoid the threat of a hacker using these versions of your application, conduct the development and testing of web applications on servers isolated from the Internet, and never connect them to real life data and databases.

These steps are just the start to a more secure server environment. The best thing you can do to keep your organization safe from the threat of malware is to stay abreast of security technologies, as they are developed, to stay one step ahead of malicious users.

Free consultation

Six IT Services to Outsource

With the economic climate in the US and Europe still uncertain, many small and medium organizations are looking at outsourcing business services now more than ever. Those organizations that have already outsourced parts of their IT operations are looking to outsource more, and those that haven’t are looking to start. One thing that stops or slows down businesses looking to outsource is simply not knowing where to begin. Here are six places you can start:

  • SaaS: Software as a Service allows you to only pay for the software you use and only while you’re using it. This also has the benefit of cutting management and IT infrastructure needed to support a large collection of software across your computers. A report from 2008 suggest that even in the early stages of SaaS, organizations could expect to save over 50% in some instances, and occasionally more.
  • Managed Hosting: Off-site managed hosting will allow you to make drastic cuts to your in-house IT budget, as well as seriously reduce overhead from having your hosting infrastructure in your office or at a rented space. Managed hosting is one of the oldest, and most well understood, form of IT outsourcing, so there are significantly less risks than with almost any other plan.
  • Data Center: Data centers make the most sense for organizations that either generate or process large amounts of data, or for organizations that don’t have the local facilities to support a data center. Besides saving money on storage and processing, data centers also offer increased security, with redundant backups, redundant power & Internet, high-level encryption, and other protective measures. The added security often makes this a worthwhile investment even when cost-cutting is minimal.
  • Asset Management: In asset management outsourcing, an outsourcing agency takes over the management and support for IT assets like servers, computers and workstations, phones, and other office equipment. While the levels of support provided vary from provider to provider, this is a great way to offload many of the costs involved with running a large office organization.
  • Product Service/Customer Support: If you are in the business of selling technology, one less-often considered form of technology outsourcing is outsourcing your service and support divisions. Toshiba has had great success with outsourcing their service and repair divisions to UPS supply chain solutions in 2004, and HP has been doing it even longer. Likewise, tech support service and call centers can easily be outsourced, increasing margins on products and cutting infrastructure costs dramatically.
  • IT Strategy: Organizations can outsource their IT strategy to a firm that has the breadth of experience, domain/industry knowledge and diverse IT industry knowledge that is nearly impossible to duplicate cost-effectively in-house. Strategic advice can incorporate growth and capacity planning, addressing TCO and ROI, as well as risk management.
Business man on mobile phone

Oh, the Risks of Public Wi-Fi

As technology goes more and more mobile, working remotely from public Wi-Fi locations is going to be a bigger and bigger part of doing business. Whether it’s your sales team using airport Wi-Fi while waiting for a flight, or your creative employees knocking out some work at a Starbucks over lunch, the risks of public Wi-Fi are going to have to become a consideration for companies. Unfortunately, most employees (and many employers) don’t know just how dangerous using public Wi-Fi networks can actually be.

Whenever you connect to a public Wi-Fi network, any information you send or receive can be easily snatched from the air and inspected. In fact, this very issue was highlighted just a short while ago when a plugin called Firesheep made it trivial for anyone on a public Wi-Fi network to hijack the social network and other accounts of people sharing that network. While the major social networks quickly fixed the vulnerabilities that allowed this behavior, not all sites did. This is not to mention any capabilities the Federal Government (read: NSA) has to do this.

To Allow or Not to Allow?

Protecting your business data from being exposed on public networks is critical, and should not be taken lightly. The simplest and most secure way to prevent proprietary data from leaking into public access is to simply not use public Wi-Fi spots for any kind of official business. In fact, for the most security, it might be a good idea to not connect any company mobile devices to any public Wi-Fi networks at all.

Solutions

Another solution is to use a 4G internet dongle. These devices plug in to your laptop and function as cellular modems to connect you to the internet the same way that your cell phone connects. This not only lets you bypass the dangers of public Wi-Fi, but also allows your employees to work online from anywhere where they can get a cell signal. The downside is that if there is no cell reception, there is no internet, and poor cell reception could lead to the connection being agonizingly slow. It’s also fairly pricey, with many providers charging large fees for very limited data. One alternative here is to tether an existing 4G phone that already has a data plan.

The last solution is to use a VPN, or virtual private network, to tunnel through the public Wi-Fi access and do all business-related work under full encryption. A VPN, in this case, involves creating a secure connection within the unsecured public connection, and connecting directly to a work server which you then use to access the broader internet. This keeps the data you send secure between your laptop and the final destination. VPNs are relatively easy and inexpensive to install and deploy.

Hybrid solutions are out there as well. We have deployed software for organizations that enables employee computers to access public WiFi but only in conjunction with a VPN, so users can enjoy the convenience but reduce their risk.

Malware infected computer image

Client Alert – Cryptolocker Ransomware Outbreak

In the last few weeks, and with increasing frequency, our clients have been encountering instances of a new type of malware known as ransomware. The most popular of these, known as Crytpolocker, infects your computer and encrypts your data files on your computer as well as on any network shares you have connected with a drive letter (e.g., F: drive). Victims are advised they have XX hours to submit payment (usually $100 or $300) in order to have their files unencrypted. If this time passes, the “private key” required to decrypt the files is deleted, and files cannot be easily recovered. The warning message looks something like this:

CryptoLocker screenshot

I’m sure you’re wondering how law enforcement authorities cannot follow the payment trail to the criminals ransoming people’s data. It’s likely that international non-state actors are involved and are likely using “Botnets” (http://en.wikipedia.org/wiki/Botnet) to spread the malware. In addition, the payment methods the ransomers are using minimize the risk of their being identified.

How Do I Protect My Organization?

Due to significant variations in the payload, antivirus and other malware vendors have not been able to easily identify and quarantine this software, which has arrived on people’s computers primarily via email attachment, often claiming to be from FedEx or UPS. Besides recovering backups of your files, there is no practical way to recover your encrypted data without paying the ransom. The most practical approach at this time is to a) ensure you have backups of your data files on all drives and shares you are attached to; b) modify your email filters to disallow executable attachments and zip files; and c) educate your users!

Instructions for your users: Do not open attachments from senders who you don’t recognize. FedEx and UPS don’t send emails with attachments! If you do see attachments, do not attempt to open zip files or any executable files, even if they have a name that implies they are a PDF file (another common method).

We have seen multiple variants of this malware already and expect to see more. CONTACT US if you need assistance or advice on mitigating the risk of infection, or if you have already been infected.

Rising costs image

What Organizations Need to Know About the Looming Internet Taxes

The new Marketplace Fairness Act, or “Internet Tax” will require online retailers to collect sales taxes for the states where they ship goods, not just the ones where the seller has a presence. If you are a non-tax exempt organization that purchases or ships any of your products online, these new taxes will affect you.

This article will cover the basics of the Marketplace Fairness Act, so you can understand how it may impact your bottom line.

Currently, both consumer-level and B2B online shoppers have enjoyed purchasing products online mostly sales tax-free. Older laws required stores to collect sales tax only on goods shipped to states where they have a physical presence, such as a distribution center or a physical store. For example, if you purchased office supplies and software from Office Depot online, you would likely pay sales tax on your purchase. If, on the other hand, you made this purchase on Amazon, you might get off scot-free, when it comes to sales tax.

Complication has been the main reason for not requiring these sales taxes; deciphering all of the various sales tax laws for all 45 states that have sales tax was just too much of a burden for businesses.

Back in 1992, the Supreme Court addressed the issue, but Internet commerce was non-existent in those days. According to online sales tax advocates, current technology makes it simpler to collect sales taxes from various states. The so-called Marketplace Fairness Act urges state governments to provide companies with free software for calculating taxes and to establish one state entity to receive the payments.

Interestingly enough, consumer and business purchases from out-of-state are already likely subject to something your state calls “Use Tax.” Surprisingly, many consumers and businesses know little about this tax. Buyers are supposed to track their out-of–state purchases and pay sales tax when they file their tax return. However, many buyers are not even aware of — or ignore — these requirements, and they are difficult to enforce.

Supporters of the Internet Tax include big box retailers like Target, a mix of Democrats and Republicans, President Obama, the National Retail Federation, and even Amazon. While Amazon — as you might guess — was against the new tax for a while, the e-commerce powerhouse has changed its mind as its interest shifts into expanding its physical operations into more states. Apparently, Amazon realized the benefits of providing faster and same-day delivery from increased distribution centers outweighs the risk of requiring customers to pay sales tax.

Opponents include conservatives and anti-tax activists who claim the law will hurt small online businesses. However, one very big online business is leading the charge against the tax. eBay wants the law to exempt any business with fewer than 50 employees, or that make less than $10 million a year on out-of-state sales, to protect its numerous sellers.

No matter which side you’re on, it’s hard to deny the numbers. According to the U.S. Department of Commerce, there were $225.5 billion in online sales in 2012. And, thanks to the current sales tax-free status, states lost a combined $23 billion in uncollected sales tax revenue.

If you live in one of the five states with no statewide sales tax (Alaska, Delaware, Montana, New Hampshire, and Oregon), you’ll get off easy on this one, too. People in these states won’t be charged on goods they have shipped to their home state. However, businesses won’t fare so well  They will have to collect sales taxes for items shipped to other places where there are sales taxes — in other words, most of the country.

In states with sales tax, businesses and individual consumers will have to pay the same amount of sales tax as they would buying a product in person at a brick-and-mortar store. You can use this [tool][https://taxcloud.net/find-a-rate/] to see how much something will cost under the new law by choosing a location and tax category.

The Marketplace Fairness Act is currently pending in the House, and the earliest it could go into effect is October 1, 2013.

iPhone 5

How to Extend the Life of Your iPhone

Your iPhone is your connection to the world, your organization tool, and your technological toy. It’s also expensive. The only thing worse than the cost of constantly upgrading your iPhone to the latest version, is the cost of having to replace your current one due to damage.

To keep this wondrous gadget in top form, and to give it the longest life possible, follow these simple tips.

Wrap your iPhone in armor to protect it physically.

In the consumer tech world, iPhone armor equals a high-quality case and a protective film. A durable plastic shell, like those made by OttorBox, will save your phone from an unfortunate drop, or even the constant abuse it receives at the bottom of your briefcase, handbag, or even the bottom of your pocket. Tons of options exist in a number of styles, but no matter what you choose, make sure it’s designed to withstand accidents and not just look pretty.

A screen protector, like Zagg’s Invisible Shield, will save your screen from keys, loose pens, and any other objects that threaten to harm your iPhone screen.

Give your battery a break every now and then.

Preserve your battery by reducing the strain some of your iPhone’s conveniences cause. Features like push email, maximum screen brightness, and Bluetooth connectivity shorten the life of your phone’s battery, and you can probably live without them. Turn these features off, at least some of the time.

If your screen is broken, why not fix it?

Whether you crack your screen, or smash it into little bits, the appearance of a damaged iPhone screen can be jarring. You might have the urge to run to the Apple store and replace the entire thing.

However bad it looks, a broken screen can be replaced for as low as $70 – much, much cheaper than replacing your entire phone. If your iPhone gets cracks or scratches, simply give it a facelift with a new screen. Just don’t expect Apple to do this for you; the company will only swap out entire phones. You’ll have to do some searches in your area to find a reliable vendor who can do this for you.

Help your iPhone beat the heat.

If your iPhone feels hot to the touch, treat it like it has a fever, and put it to bed. In other words, turn it off to give it some time to “rest” and to cool down. Overheating spells trouble for the phone and your battery.

Protect your iPhone in case it is lost or stolen.

A lost iPhone is just as detrimental as a broken one. Apple’s app, Find My iPhone, can help you recover your investment. The app is free and pinpoints the location of your device with GPS if it’s lost – or stolen.

And, if someone steals your iPhone, using the pass code lock will ensure only you have access to your information.

Keep it synced.

If your phone does meet with an untimely demise, be sure your data doesn’t die with it. Sync your phone with iTunes often to save you tons of time when you replace your phone and don’t want to miss a beat.

Secure computing image

Insider Threat Risks to Your Organization

Business owners and IT managers are well aware of the threats posted by hackers and cybercriminals to their networks, and most are taking steps to secure their organizations and to ward off these outside threats. However, sometimes the biggest threat to your company comes from within the walls of your office.

A recent study funded by the U.S. Department of Homeland Security, the U.S. Secret Service, and the CERT Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute found that malicious insiders within the financial industry often get away with fraud for nearly 32 months before they are detected.

At a February presentation at RSA Conference 2013, Dawn Cappelli of the CERT Insider Threat Center presented several instances in which current and former employees damaged companies by planting malware, stealing corporate data, or colluding with outsiders to commit fraud. In fact, the center has tracked 800 insider threat cases since 2001.

Types of Insider Threats to Watch Out For

According to Cappelli, certain employees often are involved in a range of scenarios:

Cases involving intellectual property theft, such as business plans or source code, often involve a former employee who worked on the project. Often, these culprits save company information on a USB drive and are never caught.

In cases of sabotage, highly technical employees, such as system administrators who become disgruntled after being fired, often set up an attack before leaving the company.

Fraud cases typically involve lower-level support employees, such as help desk personnel, who conspire with outsiders.

Threats from untrained users or users that are not following procedures are also very real.

Potential Sources of Insider Threats

Companies that use file services like Dropbox and virtual machines should be careful, as employees can use these to exfiltrate information. One case Cappelli presented involved a product development manager who had access to clients’ trade secrets. He had access to information on two clients in the semiconductor industry and downloaded 80 documents before leaving the company and taking a job with one of these semiconductor clients. His new employer turned him over to authorities after learning about the breach, including the fact that 18 of the documents belonged to a close competitor. To protect your company from this type of threat, ensure that business partners protect information, audit their controls, and build it into contracts.

Another source of potential insider fraud is shared computers. Cappelli spoke of an instance at a university, where two students loaded malware onto publicly accessible computers so they could steal credentials and spy on student records.

In another situation at a hospital, a disgruntled security guard, who had a background in system administration, installed malware on systems. He was caught when he posted a video of his work, and another hacker reported him to the FBI.

Yet another instance involved a network engineer at a retail company who knew he was going to be fired. He created a VPN token for a fake employee before leaving the company, and then called the company’s help desk pretending to be a new employee requesting a credential activation. After lying low for a few months, the former employee deleted corporate email accounts and virtual machines, creating a major headache for the company. To protect virtual machines, companies can scan memory files and tie virtual environments into existing security systems.

Insider Threat Warning Signs

While these examples of rogue employees wreaking havoc on companies might be scary, they serve as a reminder that threats need not come from outside a business.

In a recent Tech Republic article, writer Tom Olzak shares a list of possible signs that an employee is about to go rogue, possibly creating a security risk for your company. His list includes the following:

  • Attempts to circumvent security controls
  • Unexplained, repeated absences on Monday or Friday
  • Pattern of disregard for rule
  • Long-term anger about being passed over for a promotion
  • Pattern of lying and deception of peers or managers
  • Frustration with management for not listening to what the employee considers grave concerns about security or business processes

Watch out for these signs that someone may become a threat, and communicate with that employee immediately to attempt to remedy the situation before it spirals out of control. Since employees often hide malicious behaviors from managers, training all employees to watch out for signs of discontent can help with prevention. Providing a way for employees to anonymously report peers can help them look out for your company without fear of being labeled a tattletale.

The “Accidental” Threat

While the threat of an insider intentionally compromising security to get what he or she needs is very real. industry statistics indicate that more than 52 percent of insider incidents are accidental or inadvertent. How do you guard against these? A multi-dimensional security approach is required that encompasses:

  • Education  — educate your users about the risks of phishing attacks, social engineering attacks, and high risk behaviors such as downloading and installing unauthorized or illegal software, or sharing passwords.
  • Security Tools — many organizations invest in tools that can monitor in a “trust but verify” manner; reminder emails and popups give users a chance to think twice about an action that may put the organization at risk
  • Policies/Procedures — ensure that your policies and procedures are not just in place for reference, but are actually followed. Audit them periodically to verify compliance. If users are circumventing them, establish user task forces to optimize and improve them. This will also result in more user buy-in.

Parting Thoughts

Protecting against insider threats, malicious or inadvertent, can be the difference in success vs. failure for organizations with key legal considerations or intellectual property to protect. Developing the right approach to managing risk is more than just good business, it is a necessity.  Owners and IT managers of organizations should identify their largest insider risks and develop “right-sized” approaches to mitigating them.

While the threat of an insider intentionally compromising security to get what he or she needs is very real. industry statistics indicate that more than 52 percent of insider incidents are accidental or inadvertent. How do you guard against these? A multi-dimensional security approach is required that encompasses: