By Dr. Guy Bunker @guybunker
I took part in a Tweet Chat earlier this week on the subject of Cyber Security Governance (#ITValue is the tag, should you want to revisit the conversation – or read the summary here).
There was a lot of great discussion around the various factors associated with risk. While it started with the obvious external threats, it soon moved on to the internal ones. One of the comments came from @NickPrescot around quantifying “The Enemy Within”. Tweet Chats are great, but sometimes 140 characters for an answer isn’t enough!
Up until a couple of years ago, it was widely accepted that the biggest cyber-security threats came from outside the organization. Yes, there had been individual cases where an insider had been highlighted – and of course the Manning and Snowden cases were (and are) widely talked about. However, there was no real empirical evidence. Last year, 2013, saw a number of surveys and the one we did appeared to kick it all off. Our survey showed that 58% of cyber threats were now coming from inside the organization rather than outside. This didn’t mean that the number of threats from outside had fallen, just that the number of insider threats was growing.
While there is little difference between the outcomes of an internal vs. and external attack – critical information still ends up where it shouldn’t and the fines and remediation costs are still incurred – there is a major difference when it comes to the people perpetrating the ‘attack’. “The Enemy Within” are not all malicious; far from it. The majority of insider created events are due to mistakes, either by an individual, by a process or a policy. Simple examples entail information being sent to the wrong email address, or an unencrypted laptop being misplaced. Another frequent problem occurs when employees send information to their own email or to cloud storage providers such as DropBox so that they can continue working from home. This is certainly not malicious, but it could cause a breach. Policy can be created to prevent such practices, however it needs to be backed up with technology. Technology which can help educate employees on the policy as well as enforce it whilst being flexible and adaptive to today’s work processes.
Deploying technology – and we’re talking Adaptive Data Loss Prevention (A-DLP) here – will also prevent the malicious insider from stealing information. It will alert the organization to the attempted theft, enabling action to be taken. A-DLP is an example of a security solution that is not just insurance against malicious events, but also provides everyday value.
Quantifying the risk from the insider is not something people like to do, as it is hard to imagine that there are people inside the organization who are potential cyber-criminals. However, by looking at the broader picture with the inadvertent insider risks the organization can find it easier to justify the process and then the solution. As with all risk analyses, there needs to be appropriate measures in place to prevent an over-the-top response. It is not just about risks and consequences, but also about probabilities.
Not all information has equal value to the organization. An understanding of the value, where it is held and who has access to it can help drive an Information Governance programme, reducing risk. When it comes to insider threats, minimizing access to information also minimizes risk – this is not just about ‘need to know’, but ‘really, really need to know’. Is this something that could have stopped Manning and Snowden? Probably not, but the leaks would have been significantly smaller.