5:40 PM -- We've been writing a lot lately about the insider threat, and how it is stirring up new concerns within the enterprise. From massive problems to massive solutions, it's clear that leak prevention and the security of intellectual property have become at least as important as stopping attacks from outsiders. (See Insider Tries to Steal $400 Million at DuPont, Government Targets Insider Threat, and Deep Threat.)
But the issues and technologies that IT is considering for stopping the insider threat are very different from those in the world of perimeter security. Stopping outsiders is a clear-cut problem; unauthorized outsiders have no business on the corporate network. Insiders, on the other hand, are a different story.
To stop the insider threat, you have to restrict access to data. But for the last 10 or 20 years, the entire IT paradigm has been designed to make data more widely available and accessible. For a decade, IT has been encouraging employees to find new ways to use networks and computers to interconnect with each other, with partners, and with business partners. Now even pinging an unauthorized system could get an employee in trouble.
More importantly, there are some "trust" issues to face. To identify potential insider threats, IT must monitor end users' behavior by scanning email, tracking network activity, and even watching employees for "trigger" events that might cause disgruntlement. Right now, I'm working on a story about ways corporations might monitor their employees outside the workplace to determine whether their out-of-office conduct might cause data leaks.
There's a catch-22 developing here. If companies don't do enough control and monitoring of employees and other insiders, they run the risk of losing huge amounts of sensitive data. If they do too much control and monitoring of insiders, they run the risk of inhibiting innovation inside the company -- and losing the trust and loyalty of employees who feel their personal privacy is being violated.
Unlike external threat defense, insider threat prevention is not going to be a practice that's cut and dried. Monitoring the enterprise email system or VPN activity is clearly within IT's purview, but what about monitoring email or IM that take place over personal accounts on public networks? If I export company data via my AOL account, instead of using the corporate network, do I have the right to expect privacy? If not, how will the enterprise IT department know what I did, unless they're monitoring my personal email?
There are some pretty difficult legal, business, and ethical questions emerging here, and we've only just hit the tip of the iceberg. As individuals begin to rely more and more on personal devices, such as BlackBerries and smartphones, their corporate lives and their personal lives will intersect more frequently than ever. And IT will face increasingly tougher questions about what it can legitimately monitor to reduce insider threats -- and what it can't.
Do you want to be seen as Big Brother? Or take a chance that you'll be robbed blind by your own employees? It's a dilemma that many IT departments, sadly, will have to face in the days ahead.
Tim Wilson, Site Editor, Dark Reading