Network management Toolkit

Security: The threat within is greater than you think

Marguerite Reardon CNET News

Published: 12 Jan 2005 13:40 GMT

The no-tech Trojan horse
Once inside a company or one of its partners, a trusted employee can do enormous damage. Often such leaks disclose the most sensitive of data.

"Insiders know where the information is located and how the security systems work," Oltsik said. "They know what information is valuable and what's not."

Matching the figure from the Ponemon study on corporate leaks, Michigan State professor Judith Collins found that 70 percent of all identity thefts she studied started with the theft of personal data from a company by an employee.

It takes only one rogue employee to put a company at risk, said Brian Tretick, a principal at Ernst & Young who works in the Privacy Assurance and Advisory Services group. One of his clients had an incident recently in which an employee in the human resources department took home documents that included Social Security and bank account numbers. The employee's brother coerced her into giving him access to the information, which he used to get credit cards and fraudulent accounts.

Secrets out

Several big-name companies, including Apple, Cisco and Microsoft, have had problems with internal information being leaked. In addition to the suits mentioned earlier, Apple is suing a Mac enthusiast Web site it said solicited insiders to break confidentiality agreements and leak information.

In June, authorities arrested a former AOL employee for allegedly selling 92 million AOL screen names to a spammer. He supposedly gained access to the data using a co-worker's identification code.

In November, a Connecticut man was arrested on charges of selling Windows 2000 and Windows NT 4.0 source code stolen from a Microsoft partner. He now may face up to 10 years in prison and a fine of $250,000.

Some of Cisco's IP router source code was leaked to a Russian Web site in May. It's unknown how the information got out, but some suspect an employee or partner may have leaked it.

The company found out about the fraud when employees affected by the scam compared notes and realised the information had been leaked from their employer. Only about 100 employees were hit by the scam, but because the company wasn't certain which workers had been compromised, it was forced to notify everyone. The company set up a 24-hour hotline to answer questions from employees. It is providing free credit reports to all workers for at least one year. It also changed some of its business processes to prevent future breeches. In the three months after the fraud was detected, the company spent more than $2m to mitigate the effects, Tretick said.

The Association of Certified Fraud Examiners estimates that a typical US organisation loses about 6 percent of its annual revenue to fraud, according to Ernst & Young's global security survey published in September. When placed within the context of the US gross domestic product for 2003, that amounts to roughly $660bn.

"Companies are really conflicted about how to handle the internal threat problem," Tretick said. "They want to make their processes open and easy so they can run an effective business. That often means putting trust in the people who work for them. But all it takes is one bad apple."