Feds, Insiders Foil Effort to Plug Corporate Data Leaks

Businesses spending more than ever to secure datacenters, networks and sensitive data are being undermined by their own governments and employees, as well as outpaced by outsider threats, leaving them less secure now than a decade ago.

Corporate IT security budgets are growing by double-digit percentages per year, according to recent IT market surveys from analysis firms Canalys and IDC. Total worldwide spending on products designed to secure IT infrastructures or minimize the impact of scams and financial crime now averages between 15 percent and 17 percent of average IT budgets, and will total more than $80 billion per year by the end of 2017, according to a May survey from IDC.

Even small- and mid-sized companies that have traditionally paid only lip service to IT security are increasing their security budgets at twice the rate of other IT spending, according to a more recent report from Canalys.

The security products bought with those growing budgets often come with back doors inserted by state security agencies with the cooperation of the developers, or are simply cracked by groups such as the U. S. National Security Agency (NSA), which routinely eavesdrops on both individual and corporate activities online, according to revelations about the NSA/Edward Snowden scandal published by the U.K.’s Guardian newspaper.

The NSA budgets $250 million per year for a program whose goal is to influence the design of IT products in such a way as to make them covertly accessible later by NSA surveillance teams, The Guardian reported at one point.

The Edward-Snowden effect continues to be the greatest data-security risk for most companies. Fifty-four percent of more than 700 organizations polled by analysis firm Enterprise Strategy Group reported insider attacks are harder to identify and defend against than they were two years ago, and 46 percent said they are “vulnerable” or “very vulnerable” to damage from insider attacks.

The reason is pretty simple – there are more people with better access to more information and a wider variety of insecure things to do with it. Thirty-seven percent of the companies polled said contractors, business partners, employees and others have wider access to the network than in 2011; 36 percent said cloud computing and increases in traffic from outside the network makes identifying suspicious behavior more difficult.

And that’s after leaving out increases in traffic that make identifying any type of activity more difficult, according to 36 percent of respondents.

It also disregards the percentage of employees who ignore or purposely violate corporate security policies, whether out of spite or their own convenience.

In a series of in-person polls at Microsoft TechEd events in June, data-security-software developer Varonis found that 30 percent of employees at the 120 organizations polled were willing to admit to a stranger that they store corporate data in personal cloud-service accounts, putting that data beyond the ability of IT to detect or protect it. Worse, 5 percent admit to loading up their personal cloud accounts with corporate information they know for sure is confidential. (Report is free to download here; registration required.)

In many cases, according to a blog posting by a Varonis executive, many employees covered by non-disclosure agreements don’t realize uploading confidential information violates those agreements.

Having an NDA in place can reduce the percentage of employees uploading information to insecure sites, according to the report; asking employees in exit interviews to return or delete company data on their computers or cloud accounts can also reduce the volume of free-floating sensitive data.

But only 46 percent of those polled said their companies even ask outgoing employees about company data, whether in the cloud or on their personal devices.

Most of the sketchy uploading is done by a very small number of employees, usually for convenience rather than out of malice.

There is a consistent weakness in the willingness of companies to enforce NDAs or policies against uploading company data to personal accounts, however, retarding the ability even of companies worried about security to close the most obvious holes.

The NSA/Edward Snowden scandal did change the way 45 percent of companies think about the threat from insiders, according to Jon Oltsik, ESG analyst who was lead author on the study. That change may prompt some improvement, but the realization is late in coming. A similar survey in 2008 showed that “insider attacks were viewed as the most dangerous of all since insiders tend to know what they want, where it is and how to get it,” Oltsik wrote.

That may have reflected the awareness level of 2008, but insiders have been considered a primary threat since the very beginning of corporate IT. Top managers simply have to be reminded of that from time to time.

“Given how vulnerable organizations are and how difficult it is to detect/prevent insider attacks,” Oltsik added, “it’s time for all CISOs to reassess insider risks, defenses, and detection/prevention efficacy. If the ESG data is any indication, these areas may be much worse than they think.”

Image:Shutterstock.com/ Bruce Rolff