The insider threat is back with a bang. Ever since NSA whistleblower Edward Snowden made off with a treasure trove of top secret internal documents organisations across the world have been waking up to the potential damage a 'malicious' employee could cause. Since then we've heard there could have been insider involvement in the massive JP Morgan data breach, and the hack at infidelity site Ashley Madison which may have exposed highly sensitive information on 37 million customers. And closer to home, a Morrison's senior auditor with a grudge was recently jailed for eight years after posting the personal details of 100,000 staff members online.
Why has it taken us this long to get serious about the insider threat? And what can firms do to mitigate it?
Who do you trust?
The truth is that security companies were talking about little else a few years ago. But the message just didn't sink in and their data loss prevention (DLP) products were largely ignored by corporates. But it's not just the technology they didn't have in place, it was the right kind of organisational structure and risk approach. Case in point: I recently met a Salesforce.com CTO, but it wasn't my opposite number. Instead it was the firm's Chief Trust Officer – a role solely designed to safeguard customer data. Salesforce knows that if this gets into the wrong hands, its reputation is toast. Ashley Madison would do well to take note.
Too many CIOs still live in an old-fashioned world where they shield the firm from external baddies on the internet but trust everyone on the company intranet. Why should you be trusted just because you're a member of staff? Because you once passed an HR interview? How do we know your circumstances haven't changed? Recent divorce, gambling debts, psychological problems – they could all cause a person to embark on a radical course of action.
Of course, there are legal and privacy issues here so that in many countries HR couldn't ask such intrusive questions. And even when problems are detected, accidents still happen. In an ideal world, employees should report any seriously disgruntled co-workers who've made threats about hacking or causing IT damage to the company. But this isn't always practical, so we need to look to technology and process.
Locking down risk
The first step for a CIO should be a comprehensive data classification programme. From there you can work out the organisation's risk appetite. Then it's a case of implementing various processes and technologies to limit the risk of high value data being accessed by unauthorised staff. Authentication and access controls are a good start. So many companies today overshare because the message from senior management is all about promoting dynamism and productivity. But this leaves the company exposed to unnecessary risk. So if it's appropriate, reduce the number of roles with escalated privileges down to the bare minimum, and operate a policy of least privilege – where access is only provided if absolutely necessary to an individual's job.
Another, more sympathetic strategy, would be to use Big Aata analytics tools to profile normal behaviour for specific users and roles. These tools will then flag to IT and HR when there are any deviations from the norm. It's vital that CIOs have worked out the right processes to sit behind this set-up so that they know what to do when the alarm rings. This is sensitive stuff. We don't want to damage productivity, or end up being the subject of an employee lawsuit.
It goes without saying that any rules you put in place need to be extended out to the supply chain – the countless contractors, third party providers and partners that few organisations today are without. It's worth remembering, Edward Snowden was a contractor.
IT has a fine balancing act to achieve in mitigating the insider threat. It's important not to be a bottleneck: when IT becomes the 'Department of No' then users either try and find ways of circumventing controls or else go to senior management to complain. This often leads to those same controls being overridden in the name of productivity – and back we go to square one. That's why I'm a big fan of non-intrusive analytics-based tools.
They're not a silver bullet, and there's little that can be done to mitigate the threat of a determined insider. But it might be enough to put them off, or reconsider, their current course of action – and that's often the best we can hope for.
Raimund Genes is of CTO of Trend Micro