At a time when external hacks are grabbing headlines, frequently unreported internal security breaches involving low-level administrators accessing high-level executive e-mail and other systems are driving efforts to limit access to only the most highly trusted personnel.
Although the internal access problem is well known, strategies for resolving it are being formulated by a surprisingly small number of companies, which are largely seeking out encryption technology from a handful of IT vendors. And while those products are helpful, they do not reveal how many systems administrators, database administrators, storage administrators and upper-echelon "super users" are accessing sensitive executive information.
Asked how many employees typically have access to sensitive data, such as executive e-mail or personal customer information, veteran data storage professional Warren Avery facetiously replies, "How many system administrators do you have in the company?
"I'm a firm believer that all these companies are spending their money to keep the foxes out of the henhouse, but a lot of times, the foxes are already there," says Avery, president of Promethean Data Solutions, a firm that compiles articles for its IT Weekly Newsletter.
Despite the insider security threat, Jon Oltsik, an analyst at Enterprise Strategy Group, says only "a very small percentage" of companies rely on anything in addition to internal access control lists when it comes to limiting entry to not only high-level e-mail, but network-attached storage (NAS) and Fibre Channel networks. He further maintains that in a company of 1,500 employees, there might typically be five to 10 administrators with executive-level access to information.
Passing on encryption
Encrypting internal data on disk systems is viewed as one viable way of protecting sensitive data, but both Avery and Oltsik say very few companies use this solution.
According to Ralf Saykiewicz, managing partner at XaHertz Consulting, only very large companies, such as Target, Wal-Mart Stores, Accenture and IBM Global Services practice this strategy. Saykiewicz says that in a multinational company of 15,000 employees, 20 to 30 people at headquarters alone would have high-level data access.
Hanging a price tag on the development of a secure internal IT infrastructure is an inexact science at best, but price tags would likely range from US$100,000 to US$1 million, according to analysts. "I'd probably say you're looking at a million bucks or so," Avery says, pointing to the costs of hardware, software and salaries. Adds Saykiewicz, "I would give you a very ballpark figure of between US$100,000 and a quarter million dollars. You need to put in the consulting time, and you need to put in the software."
In large part, the justification for comprehensive security systems is attributable to the largely unknown number of internal security breaches that are increasingly plaguing companies. Documenting these abuses is difficult because so many of them are never reported because of concerns over the negative public relations fallout.
For the first time, the CSI/FBI Computer Crime and Security Survey in 2006 asked 536 respondents to estimate attacks coming from inside an organization versus those from outside. More than one-third (37 percent) of respondents attributed more than 20 percent of their company's losses to insiders. Another 29 percent attribute a percentage of losses less than 20 percent to actions of insiders. Only 7 percent of respondents thought that insiders account for more than 80 percent of their organization's losses. Lastly, 32 percent said that insider threats account for none of their cyber losses.
In summary, the report states "even though most respondents do not see insiders as accounting for most of their organization's cyber losses, a significant number of respondents believe that insiders still account for a substantial portion of losses."