More than half the attendees at a cyber-security event produced by the Conference Board of Canada on Wednesday admitted they are not aware of any common way their organization defines an “insider threat,” despite the increased risk they pose to corporate systems and information.
In a series of poll questions that kicked off the two-day event devoted to insider threats, conference chair Dr. Satyamoorthy Kabilan noted that 52 percent of approximately 100 people in the room would struggle to articulate exactly how their employer views the problem, and 50 percent said it was a problem primarily for the CSO, rather than a CIO or someone with a CISO title.
“There may be a complete mismatch for who’s responsible for dealing with insider threats, particularly an IT threat,” he said, adding that CSOs that focus primarily on physical security may need to develop a closer partnership with their peers in the IT department. Another poll showed that 55 percent of those on hand — which included a mixture of public and private-sector executives — have no technology policy in place to address the potential danger, either.
“It really surprises that me that IT in particular doesn’t view insider threats as an explicit threat,” he said. “It’s opening the door from the inside and walking out with your data. You’re dealing with a completely different set of parameters than an external threat.”
The Conference Board of Canada launched the event after convening a series of meetings last year with the Centre for National Security, the Council for Secuirty Executives, and its CIO council. It was clear from these discussions, Kabilan said, that insider threats are a growing concern.
As a result, the Conference Board has created its own definition, which is as follows:
An insider threat is any person who has the potential to harm an organization for which they have inside knowledge or access. An insider threat can have a negative impact on any component of an organizations, including employee and customer safety, corporate reputation, brand integrity, financial results, business continuity and customer confidence. Examples of insider threat behavior include workplace violence, bullying, corporate espionage, fraud, breach or privacy and theft.
Kabilan acknowledged that this definition is probably broader in scope than what most IT security specialists would have expected. But that’s the point. Too many organizations fail to recognize not only rogue employees or former employees who do deliberate damage and a wide set of other scenarios.
“Does (your policy) cover accidental or non-malicious insider threats?” he asked. “Does it cover the contractors? The cleaning staff?”
Though countless security studies have pointed to insider threats, Kaliban said the Conference Board is hoping more business decision makers will develop a more strategic approach to mitigating the risks, because the potential for damage is now arguably greater than ever.
“It’s not like the good old days of Bond movies, where (an insider) would have to steal an entire filing cabinet,” he said. “Now it’s just a case of stealing a USB memory stick, but you haven’t just stolen the filing cabinet. It’s the entire library.”
Does the Conference Board of Canada’s insider threat definition work well for your needs? How would you edit it? Offer your take in the comments below.