Every one of us is an insider. However, in addition to permanent employees there are contractors, business partners and auditors who are also considered to be ‘insiders’.
These leave our organisations exposed to the risk that those individuals with privileged access to our information and IT networks could breach the trust we automatically assume from the moment their employment commences.
This is one of the top sources of data leakage and theft and yet addressing this threat was ranked the second-lowest priority for the Information Security industry in a survey which took place at the 2011 Gartner Security & Risk Management Summit.
There exists a degree of sensitivity around raising awareness of this threat and it is often poorly understood. It is important to acknowledge that many insider attacks are the result of inadvertent or careless behaviour. Also, some so-called attackers may be the unknowing victim of a malicious colleague seeking to cause harm through the compromise of sensitive data.
The ISSA(UK) held an intriguing meeting on 8 September 2011, to discuss topics surrounding the Insider Threat. Kindly hosted by PriceWaterhouse Coopers in their elegant new offices by London Bridge, and chaired by Tim Holman (ISSA(UK) President), more than 100 information security professionals enjoyed a number of fascinating presentations.
Such was the interest in the topics that delegates continued the discussion in a local pub after the formal session had ended!
Of particular note was the keynote presentation by Christopher Graham, the Information Commissioner. He described his frustration at the number of data breach reports of even the most basic kind that continue to come across his desk every day.
He noted with some irony that the human factor is often described as the weakest link in the information security story when in fact it is most often missing entirely! He described his strategy of the “Five Es”- that users need to be educated, empowered, enabled and engaged; and that regulations need to be enforced.
Lisa Banyard from PriceWaterhouse Coopers described her daily regime as a Data Protection Officer, and offered some very practical and effective techniques to encourage users to better care for the information with which they have been entrusted.
She observed, again with some irony, that while CISOs are often granted vast budgets and build enormous teams of specialists, the Data Protection Officer is usually a lonely figure fighting on his or her own for the cause of improved user awareness and compliance.
Martin Smith, Chairman of The Security Company (International) Ltd, spoke passionately about the importance of addressing the human factor. He highlighted the “Chair to Keyboard Interface” as the most vulnerable part of the security regime, and that breaches of trust are often more harmful and harder to prevent than straightforward breaches of security.
The human factor plays a multi-faceted role in combatting this ever prevailing threat due to the fact that people are often more sensitive to changes in their colleagues’ behaviour, rather than the software that is used to detect signs of suspicious network activity.
Once inside, employees can misuse their authorised access rights to circumvent technical security measures more efficiently than an external intruder. Educating employees about their personal responsibility to protect your organisation’s data and reinforcing the consequences will contribute towards changing behaviour.
With the right levels of awareness, your employees can support technical measures and provide a strong, more cost effective defence against the insider threat, whether it is intentional or caused by human error.
The ISSA (UK) event was a highly informative meeting and typical of events organised by the ISSA(UK). For more information about the ISSA(UK) and its forthcoming meetings see http://www.issa-uk.org.