When The US National Security Agency contractor/leaker Edward Snowden left his office with four laptops and several thumb drives’ worth of massive information about the US spy programme (PRISM) programs nobody suspected his routine action will go down in history as one of the biggest data breach of the year, if not the decade. This nightmarish episode for US government raises new questions about the risk that insiders pose to government and corporate cybersecurity, in spite of the attention lavished on external hackers.
Everybody is learning the hard way that everyone has the potential do to harm, including trusted employees. The insider threat to critical information systems is widely viewed as being of the greatest concern in corporate governance and governments around the world today. Global studies reveal that current or former employees and contractors are the second greatest threat to information security, exceeded only by hackers, and that the number of security incidents has increased geometrically in recent years.
In most cases of security breaches today, one can borrow a phrase from the former comic strip character, Pogo, who said “We have met the enemy, and he is us.” Nobody wants to believe the truth, but corporate espionage and data leakage via the insider threat is causing huge problems. Many companies either do not have the proper monitoring mechanism to realize or do not want to admit that it is happening to them. For some reason, with many cybercrimes, including insider threat, victims feel embarrassed and ashamed. They are the victims, they did nothing wrong, but for some reason these criminals turn the tables on who is at fault.
People do not like to hear it and employers do not like to admit it, but the biggest threat to a company is their internal employees. Your employees or anyone with special access (like a contractor, temporary worker or partner) have more access than an outsider and therefore can cause a lot more damage.
However, most organisations and media still focus on the external threat and pay little attention to the insider threat. This is because the external threat is easier to see and easier to defend against. If an external attacker defaces a web site, it is easy to detect and defend against. It is also difficult to deny because everyone can tell that it happened. However, if an employee makes copies of all of the customer financial history or the organisation’s intellectual property and walks out with it on a USB drive that fits in his or her wallet, it is very difficult to detect and defend against.
Inside threats are by some accounts the most difficult security threats to resolve. Because identifying the motives of those behind interior threats can present particular challenges to organisations. Individuals sometimes deliberately try to access proprietary data, while others inadvertently access and even unintentionally distribute sensitive information. This inherently limits the role of technical counter-measures.
Organisations have questions to answer when it comes to insider threats for their information assets before a dramatic breach takes place.
Editor’s note: This post is by Beza Belayneh, CEO/CISO of South African Centre for Information Security. He will deliver a presentation at the inaugural Cloud Computing & Information Security Conference, CCISC, 2013 that will be held in Harare from 24th – 26th July 2013 on insider threats.
His presentation will address key questions and challenges organisations are facing regarding internal threats: What motivates the insider? Who are the malicious insiders? What malicious activities committed by insiders? What strategies to deploy for Combating Inside Attacks?