It’s not that you can’t trust them, but…
Like it or not, the sad reality is that the insider threat exists in virtually all organizations. Given the right set of circumstances, almost anyone can yield to temptation. In my view it takes a combination of Policies, Awareness, Risk Analysis, Preventative and Detective Safeguards, Audits and Sanctions, as a minimum to be able to say you have done any kind of due diligence in securing your organization’s information. Take any of the recent daily news stories (as they start to become non-News), such as the Texas baby kidnapping, or the Tampa airline firearms smuggling…
The insider threat comes in many different scenarios, some of which may not seem to be insider-related. For example,
- Someone who seems normal, but whose home life is just stressful enough that they are open to that “one sure thing” that would help solve their financial problem. All of a sudden the circumstances open up for them, and nobody is watching.
- Someone who leaves an organization under difficult circumstances, maybe not even notable as threatening by management. They may have had access to a number of passwords, or knowledge of how the security systems work, and how to get around them. They may feel a need for revenge or compensation at a time when they think nobody would take notice (possibly before the whole organization knows they are no longer with the organization).
- Someone who has good intentions, but inadvertently helps someone to gain access or information that could allow them to gain access. This is the insider side of the Social Engineering threat.
- Even more to the Social Engineering side, an outsider with good knowledge of security procedures within an industry (and maybe even a uniform), such as in the baby kidnapping case, can fool enough people in the organization that a lack of awareness poses an insider threat, since the attack didn’t come through the firewall of the network. It should have been caught on the inside, but wasn’t.
These are just a few examples. Without a complete set of security policies and implementation there are just too many scenarios that you might not think of. A good counter to the insider threat involves a methodical sensitivity or risk analysis that identifies what information, assets or business systems can be compromised, and how much it would impact the organization, its partners, or its customers.
The combination of policy, awareness and other safeguards provide layers that make it more difficult for an insider threat to succeed without being caught. Most of all, if employees or anyone with access knows that the chances are slim, and the consequences of being caught are high, the risk becomes much more manageable.
In a strange kind of twist, some people think that their procedures or safeguards are so obscure, nobody would think they could get away with an insider attack. That’s called Security by Obscurity, and it is rarely a good idea on its own. However, there is a balance needed between letting people know the safeguards are there (deterrent safeguards), and keeping the details vague enough that people don’t know where the weakest points are.
There is a saying that says “Trust, but verify”. We all want to trust our employees, but they must know that they are accountable, and it is in the organization’s best interests, and those of its clients, to put the right safeguards in place to monitor and counter insider threats. It shouldn’t be a privacy debate. The company’s assets are its own, and it has an obligation to protect them.
LonerVamp on 13 Mar 2007 at 2:41 pm #
I like to think of insider crime in one of two ways:
1) Like much crime in general, there are insider attacks that are based on opportunity and more of a “spur of the moment” thing. You might not ever think to steal something, but suddenly it is there and out in the open. You make a quick decision and boom, it’s over. Crimes of opportunity. Maybe they take advantage of a mistake or small error or an unsuspecting person being in the wrong place at the wrong time and being engineered.
2) Dedicated, long-term attacks such as corporate espionage and dedicated, highly-skilled hackers. These are very tough to prevent and control, but a bit easier to audit and trace in the event they occur. In murders, this would be your pre-meditated type. Fraud and monkey skimming can start out as opportunistic attacks and over time become dedicated attacks; kinda like one lie leading to another…
mroonie on 26 Mar 2007 at 1:00 pm #
Great post! I like how you inserted people’s motives into your example scenarios. It really brought a real world perspective to internal threats. I think this will help a lot of people understand how anybody can rationalize doing things such as selling databases full of client information, etc…
Laying down the rules and verifying to make sure those rules are being abided by may become a hassle (especially within large organizations) but it is a completely sensible thing to do
Scott on 26 Mar 2007 at 9:51 pm #
@mroonie - Thanks for the comment.
Just to follow up on your last point, it’s interesting to consider organization size. Certainly it is a hassle to define policies and rules, and to put an enforcement system into place. But I think it’s actually a tougher thing to sell in smaller organizations. Everybody knows each other. They don’t feel that “one of the family” would do something against their own friends. They also have less room for overhead than larger ones. But the impact of insider threats on smaller organizations, while potentially more damaging, is harder to miss.
Larger organizations can lose more without it being noticed. In addition, people don’t always concern themselves with what others are doing, especially if they don’t know them well. So, I would find it easier to justify doing full-blown security in a bigger firm. There are a lot more potential benefits.
I would be interested to see any data on losses by organization size, as a percentage of total expenses, or even better, as a percentage of profit in private sector companies.