As more stories about Edward Snowden and Snowden copycats emerged in 2014, insider threats continued to grow. In an April survey of IT decision-makers in Europe, only 9 percent of businesses felt safe from insider threats, with 42 percent acknowledging that their privileged users, such as system, database and network administrators, posed the biggest risk to their organization.
A Ponemon Institute survey from May shows that many organizations struggle to adjust to new insider threat challenges. Some specifics:
Add to this trend the growing scope and changing nature of insider threats. Cloud computing, BYOD programs and outsourcing of services have led to more sensitive data in more places with more people having a legitimate role in accessing it.
Meanwhile, there’s a corresponding global debate as to whether external or internal cybersecurity threats pose the greatest enterprise risk. When technology and security leaders are asked whether international hackers or internal staff cause the greatest concern, many now say 50-50.
But I think these debates are largely fruitless. We must take proactive steps to address both. The truth is that there is a third category as well, with outside entities tricking inside users into clicking on links and/or responding to illegitimate email requests for data, thus providing unauthorized access and backdoors into the enterprise.
So what can we do about insider threats as we head into 2015?
First, we must understand the vast scope of the issue. A proper risk assessment will address traditional insider threats like data access controls as well as threats that arise from new technology. For example, new threats can penetrate the enterprise from products like Google Glass or other wearable devices.
Second, most organizations struggle to keep up with the “consumerization of IT.” New Christmas presents regularly challenge enterprise security teams to adapt or die. Policies and procedures often lag behind what people are already doing at work, which means trouble.
For example, four years ago, Michigan Gov. Rick Snyder’s new management team wanted to use iPads, despite policies prohibiting their use. Our security team struggled to get out from in front of that truck, but we eventually adapted by implementing mobile device management.
Last, many organizations still focus only on external threats with network perimeter security. They have few controls to monitor internal data flows, even as outside vendors and internal contractors freely roam through intranet data.
I offer three suggestions on where to start to address insider threats. These tips may seem obvious. Sadly, however, these basic areas are where most organizations get into trouble.
1/ Examine basic access control processes for staff as they come and go. Include network, email, database and system controls for legacy systems. This topic of provisioning and de-provisioning provides the basis to answer the hard question: Who’s supposed to see what data? Ensure processes are followed and covered when internal roles change. Don’t forget contractors and cloud providers. Finally, trust but verify access controls with occasional unannounced checks.
2/ Take another look at acceptable use policies, social media policies and related security controls. Are rules up to date for new technologies? Use appropriate measures like background checks on employees and contractors.
3/ Security teams can build more trust with enterprise staff and verify controls by focusing on the most serious situations using a risk management approach. Share compelling stories and real-world examples with end users in cyberawareness training, newsletters and tips. Offer awareness content that’s brief, relevant, engaging, intriguing and even fun.
A final thought: You want the masses behind your security efforts and helping the team identify the bad apples, but not stifling innovators who make a positive difference.
Steve Jobs once said: Do your best at every job. Success generates more success, so be hungry for it. Hire good people with a passion for excellence.