written by Simon

Concern about insider threats has been increasing in organizations. Because insiders usually know which information is sensitive for the organization, where the information is, and how to gain access to it, data breaches by insiders such as employees, former employees, contractors, and business associates are more critical than those by outsiders.

A data breach can occur when an insider loses a laptop or sends an email attachment with sensitive documents to the wrong person by mistake. However, an organization can be severely damaged when a malicious insider intentionally targets sensitive information for reasons such as espionage or selling. Insiders can gain access to and deliver information with relative ease.

In 2009, the FBI announced that former Boeing engineer Greg Chung delivered secure documents valued at $2B relating to aerospace technology to the Chinese aerospace industry as a contribution to his homeland over the 30 years he worked for Boeing. This case shows that data breaches by insiders cannot be detected for a long time. Data breaches by insiders, about which we sometimes see news reports, might be only a small part of undetected insider threats.

Some suggest that non-disclosure agreements can keep employees away from wrong-doing or trusting employees is better than adopting security solutions that decrease work efficiency. However, once data breaches occur, they cannot be easily recovered by lawsuits. Thus, prevention is best.

Many solutions have been introduced to prevent insider threats. Data Loss Prevention (DLP) solutions analyze data packets to check if sensitive information is transferred through the network and detect sensitive information containing specific keywords saved in PCs. Enterprise Data Right Management (E-DRM) solutions encrypt transferring files and manage users’ rights to copy, print, and screen-capture files. Finally, insider threat prevention solutions analyze abnormal behaviors of insiders with data and monitor the possibility of threats.

Meanwhile, USB flash drives are still allowed for unavoidable reasons in many organizations. Security-sensitive organizations have introduced so-called ‘secure’ USB flash drives. These enable a user to gain access to encrypted data on the USB flash drive only with the proper password, and they can protect data breaches even when the USB flash drive is lost or stolen. The U.S. governmental organizations are required to adopt hardware-encrypted, secure USB flash drives that comply with Federal Information Processing Standard (FIPS).

However, how can we handle a malicious insider with a USB flash drive? What if a malicious insider puts sensitive information onto an encrypted ‘secure’ USB flash drives., carries it out of office, decrypts the data, and sells it to competitors?

When it comes to malicious insiders, a copy-protected USB flash drive should be used instead of a general, secure USB flash drive by organizations. A copy-protected USB flash drive makes it possible for a user to gain an access to the encrypted data only with the proper password just like an encrypted USB flash drive. Furthermore, an administrator is able to restrict a user’s right to copy, print, screen-capture, and network-transfer files on the USB flash drive. Also, what a user does with files on the USB flash drive is monitored through the internet. There are two types of copy-protected USB flash drives for the purpose of 1) business, for office files and CAD files, and 2) content distribution, for multimedia files. The first can be used mainly for preventing insider threats.

Think about it!

For example, if you adopt an encrypted USB flash drive in your hospital and a staff member deliver one of the encrypted, ‘secure’ USB flash drives containing Personal Health Information (PHI) along with the password to an unauthorized person, can you be assured that the ‘secure’ USB flash drive prevented a Health Insurance Portability and Accountability Act (HIPAA) breach?