• United States




Insiders — the invisible threat lurking in your office

Mar 31, 20175 mins

07 insider
Credit: Thinkstock

With all of the focus in the business world recently related to hackers, we have tended to overlook a group of potential bad actors who have already penetrated our perimeter security, and have access to our facilities — our employees and contractors. While our security teams usually monitor firewall and intrusion prevention logs, the threat from insiders is, in many cases, completely ignored. 

While some insiders are intent on stealing data or damaging systems for profit or some other motive, many more expose their employers to harm just by making mistakes. Whether intent exists or not, the damage is just as bad

Just about everyone who has been in corporate IT for any length of time has been involved in an investigation of an insider. The most common scenario involves an employee who has been involved in a bad act for some time, and was only noticed when the bad activity reached a threshold, causing it to come to someone’s attention. This generates a frantic effort to quantify and remediate the damage. Unfortunately, by that time, the impact is usually big. 

According to the IBM publication The Year the Internet Fell Apart, in 2014, 31.5% of security incidents originated with malicious insiders, with another 23.5% coming from inadvertent actors. You don’t need to be really good at math to immediately recognize that more than half of our incidents are coming from the inside. 

With the great emphasis today in threat information sharing, often referred to threat intelligence, insider threats pose a particular problem. A Forbes sums up the problem rather well: “There is an overall lack of knowledge of insider threats, and the public and private sector cannot share what they do not know.” 

In a recent example, and Oregon sportsware company discovered that their former IT administrator had left backdoors into their systems. He is accused of accessing their network via the backdoors over 700 times to benefit his new employer. Unfortunately, there are all too many similar examples, and those are just the ones we know about. 

Much of our challenge is today’s environment is our mobile workforce. A large percentage of the workforce is making use of mobile devices to do their jobs, and their employers are hard pressed to properly control such devices. In a recent study by Apricorn, more than half of the companies surveyed said that it was now too hard to manage the technology their employees use, and 35% found that the tools necessary to secure mobile devices were too expensive for them to deploy. 

So, should we concede defeat and just ignore the risks posed by insiders, and focus instead on outside actors? I would suggest otherwise, because while the challenge is big, it is not impossible. Consider the following: 

Use mobile management software

As respondents to the Apricorn study mentioned above said, mobile management software can be expensive. I would suggest however that it is less expensive than a single major data breach. There are a variety of tools available to control employee mobile devices, and they provide essential features such as encryption, secure email, and remote wipe of corporate data. My favorite such tool is VMware AirWatch

Once you have mobile management technology in place, you must take a hard line in requiring employees to immediately report lost or stolen devices. Such losses happen to all of us, so there should be no embarrassment. Prompt notification allows devices to be wiped remotely, preventing exfiltration of data. 

Encrypt laptops

Laptops are lost and stolen very frequently. I recently dealt with the theft of three laptops from a rental car being used by employees at a customer site. All of the laptops had customer data, and based on surveillance video, were gone in a matter of seconds, in broad daylight in a visible public parking lot.

The only way to keep laptop data safe is to encrypt the data on the hard drive. For most users, this is as simple as enabling BitLocker, which is included with Windows, or FileVault, which is part of MacOS. 

Control access

Carefully controlling what systems and data your employees have access to can significantly reduce your risk of data loss. Employees should only have access to the information necessary to do their job, and no more.

Some years ago, a now defunct computer manufacturer, in an effort to sell the importance of user access control, adopted the tag line “stinginess with privilege is kindness in disguise.”  While a bit of a cliché, it is all too true. 

Disable departed employees

I suspect if most companies audited their current employee lists against their active users, they would be shocked to learn that there were more active users than employees. It is all too easy to forget to disable access when an employee leaves, but the consequences can be disastrous. Proper access termination is just as important for people who voluntarily resign, as it is for those who are terminated. A simple departure checklist can make the process very manageable. 

It is ironic that, with all of the focus on outside bad actors and hackers, we tend to ignore those in the inside. Our tendency is to trust them as part of our corporate family. Unfortunately or accidentally they let us down too often.

To controls your security and protect your data, look inside your walls first, before you worry about those on the outside.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author