A consultant at Bridgewater Associates, the world’s largest hedge fund, is alleged to have stolen IT configuration documents from the firm.
Sankaranarayan Subramanian, from Hamden, CT, emailed sensitive information from his work email account to his personal address on a number of occasions, police said.
Police began investigating the thefts in November 2016, and last Thursday, after a warrant for Subramanian’s arrest was granted, he was taken into custody. He posted a $100,000 bond and is scheduled to appear in court on April 4.
Insider threats are one of the main, if not the biggest, causes of security breaches. After a National Security Agency (NSA) contractor was arrested for stealing highly classified information last year, Assistant Attorney General for National Security John Carlin summarized the dangers of insider threats:
The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company’s walls, but you forget sometimes to have a program where you are watching those who you trust.
Subramanian was a third-party consultant, which may have helped in slipping by unnoticed. Why he decided to start stealing information is not yet known, but common motives are financial gain (from selling the information on) or revenge.
Last year, we produced a series of summaries on the New York Stock Exchange’s cybersecurity guide ‘Navigating the Digital Age’, including the chapter on insider threats. It details a wide range of relatively low-cost steps to reduce the risk of insider threats, such as:
- Pre-employment screening. Prospective new employees who pose a threat can be identified through effective background screenings. Most employers don’t conduct background checks after completing the job interview process, but several service providers now offer risk alerts to either the employer or the employer’s background check vendor.
- Employee-oriented safeguards. Improving access controls, password practices, and remote work security can prevent employees gaining access to unauthorized information.
- Employee monitoring. Monitoring software, or data loss prevention (DLP) software, helps detect employee misconduct. However, because of various legislative restrictions, employers should conduct a thorough legal review before implementing any monitoring practices.
‘Like locking your cash register at night’
As well as large-scale changes to the way organizations operate, the National Cyber Security Alliance (NCSA) provides resources and tips to form good cybersecurity habits for everyday use. The NCSA says that, in the same way that businesses lock their cash register at night, they should also:
- Identify the “crown jewels.” Ideally, a company would like to not lose any information at all, but determining the information that would cause the most damage if compromised focuses its security measures on the areas that are most important.
- Protect what’s important. Effective physical and digital security measures are important, such as tougher password requirements and regulated use of remote devices as necessary.
- Detect security problems. Knowing what risks are relevant to your company, and what threats you need to protect against, produces a cybersecurity program specific to your needs.
- Always be prepared. Make sure everyone in the organization upholds the security practices you have in place, make sure new employees are made aware of them, make sure technology stays up to date, and make sure it is adequate to mitigate new threats that may appear.
Training your staff about security issues can mitigate possible insider threats. IT Governance’s Information Security & ISO 27001 Staff Awareness E-learning Course provides an effective way of delivering systematic and consistent training across an organization.
The course provides employees with a better understanding of information security risks and compliance requirements that will help reduce your organization’s risk exposure.