If anything, recent attacks have shown that there is no single solution to the complex challenge of being protected against insider threats within an enterprise. However, one major defense against such issues is putting in place prudent policies, with strict limits, about who can access what type of information, in tandem with boosting awareness of security issues throughout an organization.
The first step to doing this, writes Kenneth Corbin for CIO magazine, is for organizations to broaden their understanding of what constitutes an insider threat. In modern times, access to information can extend far beyond the traditional concepts of employee, with the information spreading far and wide beyond a headquarters’, or office’s, four walls.
Insider threats in modern business include contractors, vendors – even volunteers – anyone that has worked around your company data can potentially be an information leak. This extension of the company, beyond the physical business space nullifies, to a large extent, traditional security measures like firewalls and standard intrusion detection.
This is what makes it so difficult to develop an appropriate framework for access and permissions that strikes a balance between security protocols and an increasingly fluid workplace. More employees than ever are working remotely and on a variety of devices. This fact alone portends the need for a much more carefully considered and nuanced approach to where various types of data and applications are housed – and the access that is provided to those that need it.
In many cases, it is not even the traditional insider threat, the disgruntled employee deliberately sabotaging, that springs to mind. For example, one government leak was in no part the intention of the leaker but rather an issue that arose due to the lack of firm policy and training. Taking a USB stick containing data outside the premises and – without thinking properly – uploaded it to an unsecured server where it remained for over two years. In this case, proper training and protocol would have easily prevented the potentially serious exposure.
Fairfax County –where the leak happened– now imposes a tough policy on data users with heavy sanctions for those that break the rules. After an initial training program for a first offense, the penalties increase sharply with the third offense being grounds for termination. Beyond the data access restrictions, the onus has been put back on the data-owners. IT are now merely stewards, with the owner truly responsible for that data. With the risk on the owner, requests by IT for more access are often of a much more cautious nature, operating on a need-to-know basis.
The main message from such an IT policy is that, security is not just an IT issue, and it’s not just a CISO issue. It’s everyone’s business. Security must, and needs to, be embedded into the overall DNA of your organization.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”