CSO are increasingly worried about their worst nightmare — insider data theft. After all, insiders have legitimate access to the organization’s most valuable data.
Despite the screening employees go through, a number — admittedly a minority — are able to wreak havoc. But can insider threats be contained?
No, the acting CISO of Toronto’s Public Health department told a panel Wednesday at the SC Congress conference in Toronto.
Yes, a security consultant replied — and it might be easy to do it.
“This type of threat is arguably the least preventable,” Jovan Miladinovic of the health agency said, largely because research on insider motivations is scarce so understanding them is hard.
That’s in part because organizations rarely admit there’s been a deliberate or accidental insider breaches, he said. As a result all there is are “vague surveys, anecdotal case studies (and) speculation,” he said.
In addition to a wide range of motivations — information gain, money, revenge and patriotism — there’s an equally wide range of threat actors. But usually, he said, in addition to opportunity “in most cases a weakness that is linked to erosion of access control.”
“Insider threat is not inevitable,” replied James Arlen, Hamilton, Ont.-based director of risk advisory services at Leviathan Security Group. “It comes specifically because management causes it .. The harder you squeeze (staff) the more likelihood it is to leak…..”If you treat staff like adults and forbid all the things you get adults who act like children. If you treat your staff like adults and expect them to do the job they were hired to do, and do it well, they actually will.”
“Almost every single case I’ve been involved in (as a corporate IT pro or consultant) has come down to one of two things: Either earnest employee trying very hard to meet an un-meetable objective, or an employee treated as less than human and wants their piece.
“Solve those two problems and you’ve solved insider threat.”
There are people with “low morals” who steal, Arlen acknowledged, but “plain old people management catches that” — and not, he added, IT controls.
In an interview Miladinovic — who spent years as an IT security consultant before recently joining Toronto Public Health — said risk management is the issue.
Few organizations have the tough access controls to sensitive data needed to cut down on insider threats, he said. “By default you don’t give (access) rights. You expand it, but with the active participation of the data owner, because they need to control, not IT.”
But there are other factors related to insider threats. Miladinovic used to work for a pharmaceutical company and said he knows of that attempts by competitors to recruit or sexually blackmail employees with access to intellectual property data. How, he wondered, does a company defend itself from that?
“Our job (as infosec pros) is to spell out in very simple language (to management) what are the opportunities for data leaks, what are the threats, what are the vulnerabilities and what controls are in place. And we need together to come up with a risk assessment” to help the organization protect data.
CSOs also have to regularly remind staffers about not accessing sensitive data, he added, and limit access to only those who need it.
Finally think about this: Sometimes it pays to be kind. Arlen recalled an incident at a company where a staffer admitted giving her boyfriend her password — 11 days after awareness training — and that he used the access to stream a lunchtime corporate presentation she was making onto YouTube. It obviously wasn’t malicious, so “we thanked her for uncovering a hole in our training and asked her to be our advocate … Guess what? Nobody shared passwords any more, because she’ll jump down their throats days before I will.”