CSO are increasingly worried about their worst nightmare โ insider data theft. After all, insiders have legitimate access to the organizationโs most valuable data.
Despite the screening employees go through, a number โ admittedly a minority โ are able to wreak havoc. But can insider threats be contained?
No, the acting CISO of Torontoโs Public Health department told a panel Wednesday at the SC Congress conference in Toronto.
Yes, a security consultant replied โ and it might be easy to do it.
โThis type of threat is arguably the least preventable,โ Jovan Miladinovic of the health agency said, largely because research on insider motivations is scarce so understanding them is hard.
Thatโs in part because organizations rarely admit thereโs been a deliberate or accidental insider breaches, he said. As a result all there is are โvague surveys, anecdotal case studies (and) speculation,โ he said.
In addition to a wide range of motivations โ information gain, money, revenge and patriotism โ thereโs an equally wide range of threat actors. But usually, he said, in addition to opportunity โin most cases a weakness that is linked to erosion of access control.โ
โInsider threat is not inevitable,โ replied James Arlen, Hamilton, Ont.-based director of risk advisory services at Leviathan Security Group. โIt comes specifically because management causes it .. The harder you squeeze (staff) the more likelihood it is to leakโฆ..โIf you treat staff like adults and forbid all the things you get adults who act like children. If you treat your staff like adults and expect them to do the job they were hired to do, and do it well, they actually will.โ
โAlmost every single case Iโve been involved in (as a corporate IT pro or consultant) has come down to one of two things: Either earnest employee trying very hard to meet an un-meetable objective, or an employee treated as less than human and wants their piece.
โSolve those two problems and youโve solved insider threat.โ
There are people with โlow moralsโ who steal, Arlen acknowledged, but โplain old people management catches thatโ โ and not, he added, IT controls.
In an interview Miladinovic โ who spent years as an IT security consultant before recently joining Toronto Public Health โ said risk management is the issue.
Few organizations have the tough access controls to sensitive data needed to cut down on insider threats, he said. โBy default you donโt give (access) rights. You expand it, but with the active participation of the data owner, because they need to control, not IT.โ
But there are other factors related to insider threats. Miladinovic used to work for a pharmaceutical company and said he knows of that attempts by competitors to recruit or sexually blackmail employees with access to intellectual property data. How, he wondered, does a company defend itself from that?
โOur job (as infosec pros) is to spell out in very simple language (to management) what are the opportunities for data leaks, what are the threats, what are the vulnerabilities and what controls are in place. And we need together to come up with a risk assessmentโ to help the organization protect data.
CSOs also have to regularly remind staffers about not accessing sensitive data, he added, and limit access to only those who need it.
Finally think about this:ย Sometimes it pays to be kind. Arlen recalled an incident at a company where a staffer admitted giving her boyfriend her password โ 11 days after awareness training โ and that he used the access to stream a lunchtime corporate presentation she was making onto YouTube. It obviously wasnโt malicious, so โwe thanked her for uncovering a hole in our training and asked her to be our advocate โฆ Guess what? Nobody shared passwords any more, because sheโll jump down their throats days before I will.โ
ย