Several surveys and reports recently have documented and argued that our historical risk management behaviors do not position us well to deal with the threats represented by trusted insiders during periods of heightened organizational strain and staff reductions. As expected, a subset of our engineers, marketers, system administrators, database analysts, server and network security engineers will steal what they can in order to position themselves for a softer landing when (if) they are told they no longer work for the corporation. Most corporations have chosen, consciously or not, to forgo investing in the types of controls, monitoring, alarming, and reporting that would help resist the threats posed by this population.
McAfee Commissioned Professors Karthik Kannan, Jacquelyn Rees, and Eugene H. Spafford, from Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS) to analyze and report on data gathered by international research firm Vanson Bourne who surveyed more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East. Their report, “Unsecured Economies: Protecting Vital Information — The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information.”
Spafford’s summary of the report’s conclusions is that “The combination of economic pressures, weak efforts at law enforcement, international differences in perceptions of privacy and security, and the continuing challenges of providing secured computing are combining to place vast amounts of valuable intellectual property (IP) at risk.” The report also estimates that “intellectual property worth billions of dollars (US) was stolen or damaged last year, and we can only expect the losses to increase.”
He goes on to outline five key conclusions the authors drew from the data:
- The recession will put intellectual property at risk.
- There is considerable international variation in the commitment (management and resources) to protect cyber.
- Intellectual property is now an “international currency” that is as much a target as actual currency.
- Employees steal intellectual property for financial gain and competitive advantage.
- Geopolitical aspects present differing risk profiles for information stored “offshore” from “home” countries.
Everyone in the information security / risk management business should read this 36-page report. It includes summary case studies, recommendations, and supporting text that should help frame the issues and their priority for executives who need to continue making decisions about when they are willing to tempt finantial or brand catastrophy.
Not too long ago, Cyber-Ark published a report claiming that “88 percent of IT administrators admitted they would take corporate secrets” if they were suddenly dismissed. The details were less sensational, but that report included many of the warnings carefully outlined in the paper identified above.
In a period when our companies are eliminating staff, we should remember to exhibit risk-appropriate caution, and plan carefully for each instance of releasing members of our workforces who have access to credentials or bulk sensitive information. Dealing with the subset of this population who may react to learning of their dismissal by stealing sensitive data (or otherwise abusing their permissions) is not a new problem. The magnitude of the risk may, though, be enhanced in any extended period of economic downturn or contraction in the financial services marketplace.
— References —
Dr. Karthik Kannan: http://www.krannert.purdue.edu/faculty/kkarthik/home.asp
Dr. Jacquelyn Rees: http://www.mgmt.purdue.edu/faculty/rees/home.asp
Dr. Eugene H. Spafford: http://spaf.cerias.purdue.edu/ and http://www.cs.purdue.edu/people/faculty/spaf/
“Unsecured Economies: Protecting Vital Information — The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information.” (36 pages): http://resources.mcafee.com/content/NAUnsecuredEconomiesReport
Dr. E.H. Spafford’s summary of the report’s conclusions: http://www.cerias.purdue.edu/site/blog/post/unsecured_economies_and_overly_secured_reports/
Cyber-Arc report: http://www.cyber-ark.com/news-events/pr_20080827.asp