Businesses risk data breaches due to 'confusion' over privileged users

Raytheon report suggests organisations recognise threats posed by staff with access to sensitive information, but aren't sure how to stop 'curiosity' leading to a potential data breach

Organisations remain confused about the threats posed by "privileged users" within their organisation, something that presents risks to their networks and sensitive information.

That's according to "Privilege User Abuse & The Insider Threat", a new report from Ponemon Institute, commissioned by defence contractor Raytheon, which examined practices surrounded privileged users and information security.

It found that 88 per cent of organisations believe that the potential damage which could be caused by an insider threat - malicious or not - represents a cause for concern.

However, as Michael Crouse, Raytheon's director of insider threat strategies told Computing, despite high profile cases of data breaches coming from IT contractors, information security should be viewed as an enterprise-wide concern.

"There's a lot of confusion when you talk about privileged users; a lot of people go right to Edward Snowden or Wikileaks and think they're just IT guys," he said. "But they're not just IT guys, a privileged-user insider threat can happen with anybody. Anybody who has access to your company's information is a threat," Crouse continued.

"It could be in HR, legal, the car park; if they have access to information and you haven't done a good job controlling those accesses, that's a potential for an insider breach."

However, as Crouse points out, data might not necessarily be leaked or stolen by a disgruntled employee; human error is more likely to lead to a privileged user accidentally losing sensitive information.

"Some of the worst breaches out there are people who are really not trying to be malicious but are just the dumb actors who have made mistakes but have caused vulnerabilities in your company," he said. He described insider threats posed by privileged users as "a people problem" because the networks themselves won't be leaking data without human help.

"It's not about a machine. A machine isn't being manipulated by social engineering. It's a person on the other end that's either leaking data intentionally or unintentionally."

The report suggests that 65 per cent of privileged users will access sensitive data, if they are able to, just because they're curious about it.

[Please turn to page 2]

Businesses risk data breaches due to 'confusion' over privileged users

Raytheon report suggests organisations recognise threats posed by staff with access to sensitive information, but aren't sure how to stop 'curiosity' leading to a potential data breach

Crouse told Computing how, much like "rubberneckers" passing the scene of a car crash, when it comes to sensitive information, you might not want to look, but curiosity will get the better of you.

"How many times do you see an accident on the highway and you don't want to look? You want to look forward, but how many times do you look over? Because you're curious and you have the access so you take a look.

"It's the same thing with privileged users. They're curious and sometimes they want to know," he said, but warned it's important to keep check of what an employee is doing with that information once they have access it, because it could be a security risk.

"What does that person do with that information one they access it? Do they save it on a hard drive? Do they email it to their buddy? Put it in their Gmail account?" Crouse asked, citing methods by which the data could escape from an organisation.

As a result, the report suggests organisations should be deploying software and systems to properly monitor what privileged users are doing with sensitive information, an area where complacency must be avoided.

"Select a proper tool," said Crouse. "And what I mean by proper tool is select tools that do the requirements, don't just assume that the current information assurance tool that you've been using for the past ten years is the one you're going to need to protect against the insiders, because they're different.

"Sometimes you need to think out-of-the-box. There are tools out there for insider threats and privileged user monitoring, you should investigate those with due diligence," he added.

But despite the warnings and high-profile data breaches, Crouse concedes there will always be those that ignore the threats posed by privileged users, an approach he described as "playing with fire".

However, those ignoring the threats are in a minority, he added, telling Computing that cases like Edward Snowden are forcing businesses to seriously examine their information security strategies.

"I think they're reacting because now you've had a breach, the trend over the next few years will be trying to be more proactive. You can always react after a problem happens, but for many organisations that'll be too late," he said.

"So I think you're seeing a trend of trying to be more proactive and heading off problems at the pass," said Crouse.