Insider Knowledge Threats and Action

We know Insider trading is bad – even though we all want the money, the info to know that there will be good news before the news becomes public is sometimes draws a certain person like a moth to a flame.

morganstanleyinsiderthreat

 

image from slide: http://www.slideshare.net/Identacor/8-nastiest-data-breaches-in-2015

  • 7. Morgan Stanley insider theft: Morgan Stanley fired an employee who stole the account names, numbers and transaction data on 350,000 clients; the insider crook’s plan was allegedly to sell customers’ data.

What about an IT insider? What kind of damage can  be done? the most obvious and recent example is Snowden.

http://www.networkworld.com/article/2903948/security0/what-to-do-when-the-insider-threat-is-it-itself.html

{“When someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you,” Grimes wrote.}

Performing background checks on people you hire is important.

Or you can look up somebody that has whole life an open book on the Internet.

http://oversitesentry.com/tonyz/pubhtml/fixvirus/about-us-full-story/

There is a certain aspect of checking on your IT department – making sure it is doing what it is supposed to be doing.

Riskmanagmentsystemsprocess     Change “model the system” with  IT department

and “re-evaluate” with Fixvirus consultant review.

 

Let’s just discuss The concept of testing and reviewing the process and behavior of IT departments and their employees.

What do you think would have happened to a Snowden type of person if they knew they were getting checked on every so often? To continue to steal information and data it would have required more persistence.

This new oversight should allow the business to review and ensure there is no major breach of the data.

Creating controls is at the heart of PCI compliance as well.  That is why pentesting is important

PCIcompliance11.3

 

Creating controls on your IT department is important and wise.

 

Here is my previous post of IT Governance: http://oversitesentry.com/ngfw-tech-half-battle-in-orgs/