Vladislav Kochelaevs - Fotolia
Technological advances and changing work environments have forced companies to put a great deal of trust in employees that handle sensitive corporate information. Insider threats to business information are a major concern, as corporate security policies are heavily reliant on employees closely following governance protocols to ensure data remains protected.
Insider threats are not limited to malicious employees seeking financial gain, however, said Information Security Forum (ISF) managing director Steve Durbin. Recent ISF research found that negligence and accidents put insider threat protection at risk and contribute to a growing number of corporate data security incidents. In this Q&A, Durbin discusses the ISF's findings and insider threat protection best practices.
What did ISF research find in relation to insider threats? How have these type of threats evolved in recent years?
Steve Durbin: The malicious insider is the one that, perhaps for financial gain or ideological reasons, is intent on either stealing from or disrupting an organization. But there are two other categories that are if not as concerning, then probably more, and [they are] the negligent insider and the accidental insider. The negligent would be somebody who is aware, for instance, of a corporate data security policy: It may be that we have a policy in place that prevents us from sending large files to people outside the corporation, or even inside, using for instance Dropbox. But who in trying to do that for the person they are communicating with, discovers that there is a file size limit on the receiving email so they say 'just this once I'll put it in Dropbox so you can access it.'
That's negligence, that is knowing that there is a data security policy but taking steps to avoid it, often with the best of interests at heart. And then there is the accidental insider, who for whatever reason makes a mistake and sends the wrong information to somebody who shouldn't have received it. They haven't necessary gone out of their way to avoid the data security policy, haven't knowingly gone around it, just simply made a mistake. The accidental insider is probably one of the most difficult ones for security departments to address. Talking to our members, we asked them about the incidents that they are seeing, and probably about 30-40% of these sorts of security incidents are caused by the accidental behavior of some of these individuals.
It places much emphasis on the need for communication, awareness, training, all of the things that security departments have really tried to work on and spent no shortage of money on in the past year, but still haven't been able to make a significant impact.
What can organizations do to protect their business data from these types of insider threats?
Durbin: There are a number of stages an organization has to go through. The first is assessing the value of the information that's being handled so that they have a clear understanding of the importance of that information. That's something that they have to do in conjunction with the business, it's not something that security can do on its own. Once you've done that, you can put in place the technical and management controls. Then we move on to third stage, which is really looking at who is accessing the information and why they need to be accessing it.
None of those are necessarily going to deal with the accidental insider. The fourth stage is really the one where you start to bring trust into the equation. It's about really making it explicit with your employees the role they have to play in accessing and preserving the integrity of the information that they are dealing with. That will vary depending on the department you are talking to, depending on the role, but it is about making it very clear what the different responsibilities are from an employee standpoint, and also from an employer perspective.
The stages that I was talking about before where you are assessing the information, putting the controls in place, deciding who needs to access it, are all fundamental to you being able then to have that trust-based interaction with your employees. We're never going to prevent all of the accidents, but by increasing the level of awareness, by making it more explicit where the different responsibilities lie, what you are hoping to do is reduce that number so that people are actually stopping and thinking before they are doing things, rather than just going ahead and acting without that pause for thought.
What types of training have proved most beneficial to insider threat protection, especially to prevent accidents where employees might not know they are doing something wrong?
Durbin: Good practices include running simulations in this area, highlighting some of the incidents that occur and how they might come to be. It comes down to the flow of information, I think, which again is all about trusting people and explaining that these are the sorts of things we are experiencing, here are the root causes of them, and these are the things you need to be aware of.
That flow of information certainly would help. Also, engage better with the business departments so that there is an understanding that these are critical business issues, not just security issues. None of the things we are talking about here are particularly security issues, they are entirely to do with how a business manages its information and how it protects the integrity of that information, and how it ensures that it ends up in the right place at the right time. Clearly, there are some harder elements in there as well. You have to have corporate data security policies, processes and procedures in place that people can refer to, and you need to be enforcing them at all levels of the organization.
We've been hearing for years now about security starts at the top with executive leadership. Do you think enough companies have that security mentality, given the number of data threats that are out there?
Durbin: We've seen a little bit of a change. Certainly there has been recent research from a variety of organizations that have shown that the level of awareness in the C-suite has increased. I'm not aware of any organization today that doesn't operate in some way, shape or form in cyberspace. If that's the case, then cyber has to be on the agenda at the highest level in the organization.
There are all sorts of other reasons, of course -- like increasing legislation and regulation around the way in which we handle information that is particularly sensitive -- that continue to shine the spotlight on the responsibility of the board of directors. There is a very practical element to it: Organizations are waking up to the fact that cyber is a key component to the way they go about doing their business. Perhaps the way in which they are protecting information, communicating with shareholders or customers or suppliers, needs to be refreshed in a cyber-enabled world to make sure the right level of security processes and procedures are in place to guard against inadvertent loss of information, or the theft of what can be very damaging information if it gets into the wrong hands.