What to do?
Look at the other forms of insider defense organizations have already deployed in situations where trust alone fails. In particular, look at cash handling.
How do these defenses translate to information handling such as account records? First of all, require better authentication to access information. In this way, everyone knows there is a log of all the information they access. If it ends up stolen they could be suspect.
This ensures better behavior. Activity monitoring is another way to alert on suspicious behavior. If someone is accessing more than the usual number of records, alarms will be set off and their actions can be investigated.
Background checks on temporary personnel should focus on establishing their true identities. You should have a process in place for checking those identities for all contract personnel including cleaning staff, security guards, and clerical staff. They should sign in every day and sign out. Security guards should not have access to the equipment that controls security cameras or to the back up video data.
Finally, there are several technologies that could be employed to reduce the risk of data loss. Leak prevention solutions classify data and monitor the networks to make sure it does not leave the premises. Device management solutions can monitor and control the use of USB devices such as thumb drives or MP3 players.
Thanks to the rise in value and the creation of a market for identities and other information it has become necessary to look beyond typical cyber-defenses. Infiltration, the invasion of your organization by individuals targeting your information, needs to be countered. But, most importantly, the cost to the attackers must be raised in order to reduce the likelihood of attack.
Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.