Risk of Insider FraudInsights on Ponemon's New Study of Internal Risks
Many organizations realize they are at risk of insider attacks. But do they have evidence and capabilities to respond to these risks? That's the real challenge, says researcher Larry Ponemon.
"The Risk of Insider Fraud" is the name of new research conducted by Ponemon and Attachmate Luminet, and it sheds new light on organizations' top challenges dealing with these threats.
"A lot of organizations know that there are problems concerning employees, temporary employees and contractors," says Ponemon, founder of the Ponemon Institute research firm. "But they don't actually have the ability to get actionable evidence that proves beyond a reasonable doubt that that [individual[ is doing something that falls under the category of fraud or abuse. And that lack of visibility and accountability is a big problem in many of the companies we surveyed."
How best to address this lack of transparency? Technology solutions are part of the equation, Ponemon says. Network intelligence and data loss prevention tools can be effective. But good governance is the other factor."You need to educate people, and you need to have the right control procedures in place to ensure that people are aware of insider fraud," Ponemon says. "If they see someone doing something suspicious, they are the first line of defense."
In an interview about the insider threat, Ponemon discusses:
- Key findings from this new research;
- What needs to be communicated to C-level executives;
- Tools to detect and prevent inside attacks.
Additionally, Christine Meyers, Director of Attachmate's Enterprise Fraud Management solutions, and overseer of the Luminet product, discusses enterprise fraud trends and how organizations benefit from having such a solution in place.For more information about the insider threat, please see:
Insider Fraud: New Ponemon Survey reveals all organizations have risk
Hacks, accidental disclosures and breaches appear in the news every week. This new survey shows the next victim could easily be you. Understand your risk - get this essential information now. The Ponemon survey on The Risk of Insider Fraud is provided by Attachmate Luminet.
Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy, data protection and information security practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Dr. Ponemon was named by Security Magazine as "Most Influential People for Security."
Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute. He is a Fellow of the Center for Government Innovation of the Unisys Corporation.
Risk of Insider Fraud Study
TOM FIELD: Larry, tell us a bit about this study. What was the genesis of it, and why study the insider threat now?
LARRY PONEMON: Our study is entitled "The Risk of Insider Fraud" and it's sponsored by Attachmate Luminet. This particular study is something that we have been interested in conducting for years, and let me explain why. We hear about all these cyber attacks, cyber warfare and hacktivists, and all of these really cool topics, but based on Ponemon research over the years, we basically have had a notion that the insider fraud issue - or the insider threat - still represents a huge problem and a huge vulnerability for many organizations. So we were really pleased to be able to do this research independently and to determine whether our hunch about the issues of insider fraud were in fact real, and they are.
FIELD: Let's talk about the findings. What are the key findings emerging from this study?
PONEMON: The key finding of our study is that the insider fraud issue in many organizations is huge and it's unresolved. A lot of organizations are experiencing all sorts of attacks, both inside and outside the organization, but the issue of malicious or criminal insiders still represents a very, very great big security problem and a big vulnerability for many organizations.
Top Threats to Organizations
FIELD: What do you see as the top threats to organizations?
PONEMON: The top threats to organizations, if you had to basically look at the number-one priority, is the whole issue of visibility. A lot of organizations know that there are problems concerning employees, temporary employees and contractors, but they don't actually have the ability to get actionable evidence that proves beyond a reasonable doubt that employee or that temporary employer contractor is doing something that kind of falls under the category of fraud or abuse. That lack of visibility and accountability is a big problem in many of the companies that we surveyed.
FIELD: What do you see as being the organization's main challenges to mitigating these threats?
PONEMON: Part of it is enabling technology. It's hard to have visibility in a complex organization of any size. Even a small mom-and-pop company with fewer than 100 people, it's kind of hard to know what each of your employees does and what they're looking at in terms of sensitive or confidential information, whether they're moving confidential information from an enterprise system to a USB drive. All of these issues, unfortunately, you just can't watch and observe; you basically need enabling technologies. There are technologies that do a good job in helping an organization get to that actionable evidence when it's needed.
For example, we're seeing organizations deploy network intelligence, or SIM, technologies. The issue of mobility is creating a lot of risk and we see mobile device management tools being deployed. Data loss prevention is very, very popular and, in general, governance, access governance and restricting who has access to what and if in fact they have access, to make sure they're doing that in appropriate ways. Technology becomes very helpful, but I don't want to overlook just plain blocking and tackling governance. Technology just gets you so far. You need to educate people and you need to have the right control procedures in place to ensure that people are aware of insider fraud. If they see someone doing something suspicious, they're the first line of defense. If they're a bad guy - they're working in a company that's starting to step things up - the bad guy is less likely to do bad things. He'll find another company to work for. Basically it's the technology, governance and control.
Educating C-Level Executives
FIELD: I took a look at the report and there were a couple of topics that jumped out at me I want to ask you about. The first is about c-level executives. Why are they so out of touch on the insider threat?
PONEMON: That's a great question and I'm not sure if we have the definitive answer, but let me just tell you what our research suggests. It suggests that c-level executives are not involved enough in issues concerning security, data protection, the protection of intellectual property assets for example. A lot of c-level executives just assume its getting done by an underling or someone lower in the organization, and it's a technical issue that gets fouled by technicians, not by senior level managers. We always see that surprise on the face of the CEO or the board of directors, or a member of the board of directors, when their organization suffers a security exploit or a data breach. But it's a common problem that a lot of organizations have c-levels that are not told about all the things that are going on in their organizations until it's too late, until they suffer from a data breach or a security exploit.
Most Important Tools
FIELD: Now you said in the report and our conversation today that tools are key. What then are the tools that organizations really need to better detect and prevent these threats?
PONEMON: Unfortunately, you need a lot of these tools. First and foremost, you need tools that you help identify whether or not a person has appropriate credentials to access certain files or to retrieve confidential information, or to basically enter certain confidential systems. Not having tools that help you identify who has a right or does not have a right to information - and not just information sitting in databases, but kind of a plethora of unstructured data files like spreadsheets, PowerPoints, business memos and Word documents - all of that information in the wrong hands can present a very, very big problem to organizations. I think a lot of organizations don't necessarily have the tools on the unstructured side, and then they barely have the right tools on the structured side in terms of databases and so forth. So access, management, provisioning - those kinds of controls become very, very important.
You also - as I mentioned before - need to have visibility into what people are doing or not doing in some cases, and so security intelligence tools, network intelligence or sometimes something referred to as SIM, these technologies are very, very helpful in putting patterns together to help you find the needle in the haystack. In a complex organization, you have thousands or tens of thousands of people who are accessing these files all the time, 24/7, 365. The key is the ability to pinpoint an unusual event or an issue that deserves greater attention by the security team in your organization.
Another issue I think that's really important is the ability - again as I mentioned - to have a governance infrastructure so that there are people who are accountable in the security area, in the IT area, in the compliance area to make sure that those people are directly involved in ensuring that enforcement is appropriate and monitoring compliance against rules, policies, procedures and so forth. Taping together these things creates an environment that helps organizations reduce the risk of insider fraud.
Key Trends for 2012
FIELD: Given what you've learned about insider fraud, what do you see as being the key trends for 2012?
PONEMON: In 2012 - the year that we're in - I basically believe that the insider fraud problem is very unlikely to get better. It's probably going to get worse. Now let me tell you why I think that's the case. We're starting to see kind of the emergence of insider fraud that's a much more complex set of events. It's not just one bad guy doing something like stealing information, but it's a syndicate of bad guys that are attacking an organization; things like spear phishing, where we basically get people stooped to the point where they're sharing their most confidential information through an e-mail communication because it just seems legitimate - we're seeing more and more of these attacks.
My guess is that insider fraud is going to continue to be a big problem. At a minimum, even if it doesn't grow, it just stays at the same level, it's going to represent a very, very large share of fraud and abuse that organizations experience.
Now I also think that there is hope, there is a light at the end of the tunnel. And what does that light tell us? It tells us that more and more organizations are making the right investment in enabling technologies that reduce the risk of insider fraud and abuse and gives them the intelligence, the ability to spot problems before they become bigger problems. I think that, even though we're seeing a trend that things aren't necessarily getting better immediately, I'm very hopeful that in the long term better technology, better governance, better training of employees will basically lead to a safe and secure environment for many organizations.
Advice for Organizations
FIELD: Final question for you. What's your bottom-line advice for these organizations on what they can do to get ahead of the insider threat?
PONEMON: It starts with, as I said before, blocking and tackling. What do I mean by that? Before you hire a person, do a background check and make sure that person has the right credentials for the job. We see things like, "Well, this person had a great resume or this person was strongly recommended by another employee who worked with this employee at another company." That's not good enough - background checks of everybody.
Also, educate the c-level. I know this might seem silly, but a lot of the c-level executives are not focused on insider threats because they don't understand it. It's not a bad idea to create a training and awareness activity that gets people at the c-level to understand the risk that insider fraud or insider threats present to their organization.
Also, I think an issue that's going to be important is to look at broad trends and types of attacks against organizations. Take for example spear phishing. We're starting to see an epidemic of spear-phishing incidents, but it's a one-two punch. That's only part of the criminal enterprise. Understanding how fraud is perpetrated in organizations and trying to come up with procedures to reduce that risk is really a good idea.
The basic issue is it's mostly common sense, but you also need the tools. The tools will help you to achieve success. Without those tools, unfortunately, it's a daunting task that may be very, very difficult to manage.
Enterprise Fraud Trends
TOM FIELD: Now Christine, what are some of the trends that you're seeing in enterprise fraud and misuse today?
CHRISTINE MEYERS: Fraud continues to be a persistent issue all across the enterprise. It's really a perennial favorite. What we see is that the fraudsters are getting smarter. They're starting to outpace traditional detection methods, and it's becoming more difficult to find them. There's also a move toward collusion in the enterprise, and that frequently involves an element of organized crime. But the one trend we do have our eyes on right now is this growing trend of error and misuse. People today are attached to so much; they have so little time. The opportunity for critical errors that impact business and introduce risk has really started to ramp up.
FIELD: When a potential client comes to you, typically what are the problems that they're trying to solve?
MEYERS: It's a great question and, to be honest, it really varies. Frequently our customers come to help them erase blind spots across their applications and improve visibility above and beyond what they can get from other sources, like their data logs, for instance. Traditional logging is a real challenge when creating an audit trail. These logs are often incomplete, they're difficult to read and they don't provide the whole picture. What we do is we use a next-generation technology to capture activity and go beyond what's available in those logs today.
With Luminet in place, you get a dimension of visibility that's typically hidden, providing a way for organizations to see what users actually did screen-by-screen. It's almost like having a TiVo for your enterprise activity.
FIELD: When you look at your customers, which are the business areas or verticals that are taking a look at addressing fraud in their environment? Do you seem to see more in finance, healthcare or government? And among those, are there trends of those who are deploying enterprise fraud management solutions today?
MEYERS: It's truly a mix. Attachmate has over 60,000 customers, and many of them are Luminet users today. We find that organizations across multiple verticals are all seeking better information about what's going on with their users, and their drivers can be different.
For banking and insurance, we often see concerns about fraud or inside dealing and support for audit and compliance as well. Within healthcare, for example, drivers like patient privacy, HIPAA and the new accounting of disclosure requirements are important. And then for government, their needs are a little bit different. We hear about the need to continuously monitor users and verify that they're using their access to data and applications appropriately, and there's a trust-and-verify theme that you're seeing in government today.
FIELD: How have organizations benefited most from having a solution like Luminet in place?
MEYERS: It's really interesting. Within a few hours, we can go into an environment and stand up Luminet and start providing immediate results. The solution can be deployed very quickly and it starts monitoring right away. We even see organizations identify fraud during our proof-of-concept phase, which is unusual. But that's where we would go in and we're doing the technical proving. In that instance, during that one week to 30 days where we're showing them the technology and how it works on their production servers we can actually help them see what's really going on.
Once Luminet's monitoring in that environment, we set up rules to help identify hot spots of activity and begin to proactively identify fraud and misuse and put an end to it. One of the other ways we can provide value is by capturing data with zero impact to performance and then enabling customers to run historical queries against all of the cross-channel data that they have. This is especially meaningful when you have a threat or suspicious activity that you've identified and you want to know if it's happened before or anywhere else in your environment. We like to capture all that evidence, preserve it in a secure, encrypted repository and then you can use it later if you need to for a personnel action or even a prosecution.
And our digital fingerprinting of users makes that evidentiary case data hold up better in court than other methods of case and evidence management in use today. That's another way we deliver real value.