Kingdoms have fallen, and wars have been lost because of betrayal. Although we all desire to foster an atmosphere of trust and dependence on one another within our companies, it would be foolish to underestimate the internal risks with reports and employees in this digital age.
The Case of Bradley Manning
The case of Bradley Manning is an illustrative example of how even the most secure agencies can be compromised from the inside. Private Manning worked as an intelligence analyst in the U.S. Army two years after enlisting in 2007. Then, in 2009, a major leak occurred that disclosed millions of classified documents from the military's databases to the now-famous government leak website, Wikileaks. The identification of the source was unknown until Bradley Manning himself disclosed he was the source to a civilian. The conversations about that activity, and other functions Manning had in the military, were primarily out of boredom and disillusionment with the U.S. Army and its role in the Middle East. That discussion disclosing Manning as the source was then reported by the civilian, and Manning was arrested. He was eventually charged and sentenced to 35 years incarceration in a court martial for his actions releasing intelligence material. However, outgoing President Barack Obama decided to pardon Manning.
That Manning was pardoned or that he committed the damage he did to U.S. intelligence is beside the point. The real takeaway here is that he did not trip any flags during his enlistment, screening, and subsequent assignment to intelligence. And then, without any warning, Manning ends up becoming the source one of the top five most famous intelligence leaks in U.S. military history via the internet.
We all want to think the best of the employees and contractors who support our businesses. As a result, most employee policies are written with the assumption that no action will be taken until a threshold is met of unacceptable behavior. However, companies cannot reasonably operate with blind trust either, especially when managing sensitive data information. As in the case of Manning, it only took one action and one flash drive to walk away with as much as was lost in that case. So companies need to be proactive as well.
Begin with One, Two, Three
There are ways to stop data losses from the inside before they occur without having to be suspicious of good employees. Here are three of them:
1) Modularization of data access is a key defense.
By effectively limiting an employee to only the data area in the network needed to do his or her job, the employee cannot access anything else. This can be done through both network login authorizations, as well as pass-keys to different parts of the office building.
2) Keep logs of large data movements.
By having your network administrators can keep regular records of large data changes, you would be able to highlight issues to look into, such as large data transfers at night or on the weekend when nobody would regularly be working or connecting.
3) Learn to be proactive with training.
Companies can follow up regularly with training to teach employees to notice and proactively warn their superiors when they see something wrong. Employees are typically eager to help in this way because they are seen as part of the company defense to protect it and their own livelihood. This approach focuses on personal investment in the issue, which often gains very strong support in practice.
Again, we assume the best of employees, but we also need to be realistic about how easy damage can occur in the digital age. Practicing both trust and sound IT defense can protect a company far more than just a firewall alone.