From: WSJ
Companies have obsessed lately about the danger posed by foreign hackers
but the biggest threat may come from their own employees.
By C.M. Matthews
Companies have obsessed lately about the danger posed by foreign hackers but the biggest threat may come from their own employees.
Fear of foreign cyber intrusions peaked following a report by computer security firm Mandiant that a unit of China’s People’s Liberation Army was engaging in cyberwarfare against U.S. corporations and government agencies. Daily headlines told corporate America that Chinese hackers were targeting their systems. (The Chinese government has denied the allegations.)
Although all of that may be true, according to Mike Dubose, the head of Kroll Advisory Solution’s cyber investigations practice, the coverage missed the bigger picture.
“Foreign hacking has grabbed all the headlines,” Dubose said. “But more than two-thirds of all cyber cases involve company insiders, not outside hackers. And, that figure is probably under-reported because many internal breaches are not made public.”
Dubose isn’t alone in this assessment. A survey last year by security firm AlgoSec found that security managers are more worried about low-level insiders than sophisticated foreign hackers. At a recent conference, Federal Bureau of Investigation Chief Information Security Officer Patrick Reidy said that companies with strong protections against inside threats will be around in 10 years, and those without them will not.
Take the case of Hanjuan Jin, for example. Jin was a software engineer at Motorola from 1998 until 2007. But she accepted a job from a Chinese competitor in 2006 while on medical leave. Upon her return to Motorola, she downloaded proprietary technical documents from the company’s secure internal network and then gave notice. She was arrested at Chicago’s O’Hare Airport with more than 1,000 Motorola documents and a one-way ticket to China. Jin was sentenced to four years in prison in August.
Dubose, who previously served as chief of the Justice Department’s Computer Crime and Intellectual Property Section, said that companies are not particularly good at monitoring their own systems, leaving them open to internal theft. The average time between an internal breach and its discovery is 32 months, he said.
According to Dubose, companies need to start profiling high-risk employees by monitoring their adherence to internal IT security policies and other company guidelines. Unreported foreign trips and attempts to access classified information not related to an employee’s work duties should also raise red flags, he said.
On a broader level, Dubose said companies need to become more sophisticated about monitoring their networks for unusual and suspicious user patterns. He said they should institute centralized, system-wide logs of data access and transference that are easily accessible once a breach has been discovered.
Finally, if an internal breach is detected, companies need to crack the whip.
“The impact of a successful investigation and ultimate punishment can have a bigger deterrent effect than anything else,” Dubose said.
Leave a Reply