NextSentry has launched a PR campaign suggesting that "Pocket Fraud?" (a term the company has apparently trademarked) is quickly becoming the methodology of choice for employees with legitimate access credentials to download confidential customer data and intellectual property for profit or personal gain. Since the start-up launched in June 2006, NextSentry has seen employees increasingly confident in using traditional removable storage devices like memory sticks and CDs to improperly extract data from the enterprise with tools that fit in their pocket. However, the company now believes that the use of iPods for "Pod Slurping," MP3s, and even digital cameras with massive storage capacities will become the biggest Pocket Fraud assets for internal theft from rogue employees. As a result, NextSentry suggests corporations prohibit employees from using such devices until proper policy enforcement capabilities are in place in order to prevent data leaks.
According to NextSentry, mass storage devices like iPods, MP3s, and memory sticks are finding a place in the enterprise either to make employees happy or to increase productivity. For example, according to an article by Anjali Athavaley in the October 25, 2006 issue of the Wall Street Journal, "National Semiconductor Corp., a chip manufacturer in Santa Clara, Calif., spent $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements. At Capital One Financial Corp., a financial-services company based in McLean, Va., more than 3,000 employees have received iPods since the company began using them in supplementary training classes. Siemens AG unit Siemens Medical Solutions, a health-care supplier based in Malvern, Pa., purchased about 100 iPods for its molecular-imaging group last year for training and sales support."
Through its transparent client that runs on the desktops of employees, NextSentry is increasingly catching forms of "Pocket Fraud" conducted by trusted employees who attempt to extract data before they exit the company, to sell for profit, or to simply transfer to personal PCs to work at home. With most employees recognizing that email is often monitored, and almost always recorded, NextSentry more frequently catches trusted employees misusing critical channels like printing, Web, instant messaging and traditional mass storage devices to leak confidential data to the outside world. However, the company believes removable media, especially iPods and MP3s, will quickly become the Pocket Fraud tool of choice.
In addition to proactive policy education, NextSentry believes proper policy enforcement to prevent Pocket Fraud requires monitoring data leak activities taking place on the desktop. This includes being able enforce the wholesale shutdown of unauthorized iPods or removable media in the enterprise or ensuring that those with legitimate business needs only have access to such devices. Enforcing policies for legitimate users requires the ability to understand the context of a user's actions, monitor moving data, and the ability to quickly block and log activity deemed unacceptable according to an organization's security policy.
The Insider Threat -- It's Real and It's Serious
According Ernst & Young, "...an insider attack against a large company causes an average of $2.7 million in damages." Yet in the financial services industry for example, "ninety percent of the money spent by banks on vendor-built fraud detection solutions is focused on detecting and mitigating external fraud, signaling an important overlook to the growing threat of internal security breaches," according to Aite Group.
With the National Fraud Survey putting estimates on internal attacks against U.S. businesses at $400 billion per year, NextSentry believes there is an overall collective lack of accountability amongst trusted employees endowed with the power, authority and access credentials to leak corporate data, whether it be malicious or by accident. While companies have well-defined written policies in place, these policies rely on the end-user to employ them and they're not easy to enforce, especially for employees who have malicious intent.
Hereford continued, "Regardless if companies have spent millions of dollars on network security, encryption, malware, and authentication -- employees can still walk out the door with credit card numbers, social security numbers, and critical intellectual property on devices that fit in their pocket. The scary part is that it doesn't take a thug, felon or a terrorist, it's the inconspicuous employee working in absolute transparency at the desktop."
Many enterprises have turned to data encryption, and digital rights management technologies, but NextSentry believes these solutions don't go far enough to prevent insider threats from trusted employees. While affording some protection in cases where data falls in to the hands of an outsider, these technologies continue to rely on the end-user and an implicit trust model to enforce protection.
"The low percentage of IT spending on internal fraud detection does not accurately reflect the seriousness of the insider threat," said Christine Barry, research director with Aite Group. "Banks and many enterprises are addressing the problem by implementing new processes and better training for employees. However, today's security policies are often insufficiently addressing the problem. Technology is certainly being under-utilized."
------
>I>Photo by Estyzesty.
