Cyber Security – The Insider Threat

I had one of those weird circular chats with my Mum the other day. She totally point blank refuses to use an ATM. Unless she can see the ‘whites of the eyes of the person’, dishing out her cash she won’t use them. ‘Honestly darling, they must get backache in those pokey spaces’. Me: ‘Err Mum, it’s a machine, there is no person getting backache inside it’. Her: ‘Exactly, if I can’t trust a man with no eyes, I am hardly going to trust a machine now am I…’ I think it was oratorical.

If you were at Info’ Security at Earls Court last week, the ‘man in the machine’ was a very real concept. All those experts visiting from Texas, who had many stories of men invading our machines, would have had a marvellous, albeit solipsistic, conversation with my Mum.

Firstly I hate the term ‘cyber-threat’ or cyber-security’. Even though I have used it in a previous blog. It’s just easier to use the phrase so everyone understands what we’re on about, (and frankly, so does Google).

Secondly, I have to get something off my chest…I really am over the scare tactics used by the American security experts (Think Daily Mail journalism of fear). Such were the levels of anxiety in the conference rooms, I just wanted to shout ‘BOO’ really, really loudly. Sorry.

It felt at times like we were in Die Hard 4, just waiting for the whole US infrastructure to go offline and bring us to our knees. And naturally they would all cast themselves as John McClane…

There is no doubt that security is a major threat to both public and private sectors around the world. Who can forget the big Sony hacking disaster, resulting in the theft of personal data from a 100 million customers. The loss of brand credibility, loss of customers and loss of revenue is still being felt by them. And while the internet counts for 6% of the UK’s GDP (more than agriculture and utilities) cyber-crime now costs the UK economy £27 billion. A year.

Just like me, most folk think it’s never going to happen to them. And they also think the majority of cyber threats comes from the outside not inside their organisation. Levels of security investment would reflect this. From my notes at Info-Sec, the investments ratios are staggering. While 80% of global organisations invest in security, only 30% of them are investing in the security threat posed by their employees. Meanwhile only 2% of them are spending equally on both.

Is it that the insider threat is therefore the less prevalent threat? I think not. And as I have previously documented it’s because you can’t get stakeholder engagement on the import of this stuff, so the statistics are aren’t reported. According to the Verizon Data Breach Report only 4% of insider breaches were investigated last year. As the report says, that doesn’t mean it’s not happening.

The threat from within, is usually unintentional, but no less benign. As organisations get more and more mobile and always ‘on’ with their technology, the threat increases. My husband has been given an iPad, because he apparently needs one for his job (read, senior management toy). It’s great, he brings it home every night and weekend and gives it to our 7yr old to play games and download his football related apps. Hmmm.

The technology department tried to lock it down from the corporate network out of working hours, however that went down like a cold cup of sick. So they retreated. Leaving them a little wider open for the ever increasing threat of attack on our networks.

As with anything related to the technology and the business, the effective defense against all of this stuff is to really understand the aims of how the business currently work and the prevailing culture of the eco-systems within it. It’s not going to be effective to roll out a whole load of technology solutions to guard against attack in isolation of the business. Especially as they wouldn’t understand what the potential security breach might look like and how they might contribute to it.

And why would they.

There are loads of companies all trying to sell us technology to combat the insider threat. However I wonder if a more holistic educational approach might be more cost effective in the first instance.

If we understood the risk of our children downloading applications to our corporate devices, using Skype, or using non-enterprise file sharing solutions, then we might make an informed choice about how and when we use them in the future. Wouldn’t we?

We in the technology department, can partner with HR and Facilities for a softly softly approach to this also. For example, Integrity checks on new employees. Proper induction, Pull printing, so sensitive documents don’t lie around on printers, clear desk policies for the same reason, to name but a few initiatives. I could go on. (And if you want to hear more about the workshop I do on this, please do get in touch).

Firstly, however we should perhaps start with the Service Desk folk. They are often at the front-line of enforcing this stuff and have the most day to day contact with the business to be able to continue to educate. Further, many times they are often not empowered to understand the reasons why governance around this is so important. Sadly they end up with very frustrated customers when they just say ‘No’ because they are told to.

They next time we groan about a senior managers personal printer running out of toner, we might be able to empathise, understand the bigger picture, and carry on the holistic education to the business in the bigger security picture. Thereby gradually shifting and reinforcing a new security conscious culture.

Lastly, I’ll leave you with this thought. My oldest friend works in an highly commercial organisation where hot-desking is the norm for everyone, regardless of stature. She thinks Facilities provides a brilliant service of shredding all paper left on desks at the end of the day. So she never has to tidy her desk ready for the next person to hot-desk. ‘Genius’.

I couldn’t help my wry smile…

Agree? Disagree? Do let me know…

This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Cyber Security – The Insider Threat

  1. Carolyn says:

    I think your right, if you inform people as to the reasons behind certain procedures, they would be more open to accepting them. I had a recent situation at a school (totally non-IT related) where the Head thought parents were “despicable” because they were against the introduction of a 3 form entry, which they were informed about through a one-line letter.
    Had the Head explained to the parents that these children had no where else to go, that the birth rates in the borough had escalated to such proportions that there was a huge shortage of places and that unless local schools who had the space, opened their doors to these children they wouldn’t be going to school – full stop, parents probably wouldn’t have had a problem with it at all. It’s all about communication and as you say – the bigger picture.

  2. Richard says:

    While you’re considering security, now he has an iPad, perhaps you should get your husband to read this excellent post from a C4 journo about what to if mugged for your iDevice:

  3. Brian says:

    Partner with HR and Facilities? hmm. experience has demonstrated to be that protecting against inside threat relies on other, non IT related systems to be in place, such as (and very importantly) Joiners,. Movers and Leavers. however theres always the passing of the buck on this one, is it HR’s responsibility? or is it a technical solution? Would corporate understanding of the risk involved in using things like Skype change the behaviour? I don’t think so, but it would make it possible to make a choice about whether you can accept (and document) that risk.

    Finally (and there’s plenty in your great blog I could waffle on about :) ) – Your friend, she’s absolutely sure that the shred the paper, and don’t read it? :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>