The Well-Meaning Insider – Who, Why and How

By admin | January 27, 2011 | 1 Comment 

admin

At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.

I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here.

The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe.  A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.

Well-meaning insiders fall in to the following categories:

  • The underminers take the path of least resistance and ignore the spirit of security to make their working lives easier.  Creating easy passwords is an example of this. Sharing passwords is another common problem.
  • The overly-ambitious employees knowingly take risks to purposefully bypass bureaucratic security processes in order to be more effective in achieving what they think are organizational goals.  Encryption, for example, might be overlooked because the employee thinks it’s too cumbersome.
  • The socially engineered are those employees, usually in low paid positions at the public facing end of the organization, who are prone to being duped by malicious outsiders into sharing sensitive information or even giving out access codes to systems.
  • The data-leakers are the growing cadre of ‘whistleblowers’ who, for various ethical or unethical reasons, leak to the public via social network technology, such as wiki-leaks, information they feel that the public should be informed about.
  • The data spillers are employees who have legitimate access to information or databases, but are prone to spill data because of (sometimes routine) organizational practices not checked by lax IT policies. Data spillers may:

- Accidentallydiscloseinformation by losing a laptop or smartphone, else a CD-Rom or USB drive.  While such incidents (often unreported) represent a statistical outlier, they do garner much attention—both from other organizations and media outlets.
- Take data out of the secure environment to use out of the office and not deleting it.
- Leave data on discarded computers.
- Not carefully manage data shared with third parties.
- Send unsecured data through public delivery systems.
- Not review and update access inventories or email distribution lists

Resolving these problems can happen through increased IT intervention and employee education. In both cases, the goal is to preserve both human and technological resources. For instance, demonizing these insiders and treating them as willfully malicious will not improve situations. It will either cause a loss of talent or a loss of good relations. Training and educating as well as establishing a culture of security through improved and automated IT will reduce risk and maintain effectiveness.

The well-meaning insider is a different type of problem to the malicious outsider. Both can result in data loss and information breaches, but the motivations and relationships to the company vary widely. Because the industry has focused on outsider threats, many companies are unprepared and even unaware of who may be causing the loss of sensitive information. This issue can be addressed. To get more information on the who, how and why of the well-meaning insider – along with recommendations on how to deal with them effectively – read the whitepaper, Organization Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders.

About the Author

David S. Wall (BA, MA, M Phil, PhD, FRSA, AcSS) is Professor of Criminology at Durham University where he conducts research and teaches in the fields of cybercrime, policing and intellectual property crime. He has published a wide range of articles and books on these subjects which include amongst others: Cybercrime: the Transformation of Crime in the Information Age (Polity, 2007).

Symantec helps the House of Lords tackle cyber warfare

By Greg Day, EMEA Security CTO for Symantec | March 19, 2010 | Leave a Comment 

Greg Day, EMEA Security CTO for Symantec

cyberwarfareYesterday the House of Lords released its report examining how to protect Europe against large-scale cyber-attacks. The publication of the report follows a committee meeting on the topic last year in which Symantec’s Director of Government Relations EMEA & APJ, Ilias Chantzos, was one of two cyber security experts invited to give evidence.

The report’s findings have been welcomed by Symantec, in particular the recommendation for an EU-wide approach to address cyber related issues that don’t just affect the UK. Ensuring industry and government are collaborating to address the issues will be crucial to success of such an initiative.

Commenting on the need for public and private cooperation to tackle cyber warfare, Ilias Chantzos said, “One of the biggest problems with supposed acts of cyber warfare is where and when to use the term. It is very difficult to determine the origin of an internet-based attack, and almost impossible to pinpoint either the identity or motivation of its perpetrators: whether they’re a criminal, an activist or a government agent.

“For security agencies, following the trail of evidence left by alleged cyber warfare operations is made doubly complex by the fact that this evidence typically crosses international jurisdictions. Tackling this requires international co-operation, but the current levels of co-operation between nation states are often not able to police cybercrime, much less track covert activities.”

“Another problem is that government no longer controls most of the critical infrastructure; much of it is under the control of the private sector. It is in the interest of industry and government to better cooperate to tackle these issues.”

The full recommendations from the House of Lords report can be viewed here.

Dominic Cook

How High… How Low: Part 2

By Guy Bunker | June 18, 2008 | Leave a Comment 

Guy Bunker

… OK, so now the story is that there was some confidential information on the stolen PC – and that it was emailed from an internal account to the one on the PC.

How many times have you emailed something either to or from a personal email account – just because it was convenient? Several I suspect. Once again, it didn’t used to be a crime to lose a laptop, but it virtually is now… similarly no-one used to mind (or notice) if email came and went from personal accounts – but that’s all changed. Technology can now be deployed to prevent this type of ‘accident’ from happening – and of course process, procedure and policy should also be changed to prevent it from occurring. Education is once again top of the list. Why is it bad to use ‘public’ email (the data’s in the clear for one thing!), why should you check the recipients (The Wrong Dave…), why does this keep happening… Time to wise up…

The Wrong Dave

By Guy Bunker | May 24, 2008 | 4 Comments 

Guy Bunker

We’ve all done it – a little too quick on the ‘send’ button and email has gone to the wrong person. Email systems are just trying to be helpful when they predict which email address you want based on the first few letters.. ‘d’, ‘a’, ‘v’, {return} and you inadvertently have selected the incorrect recipient. Usually it doesn’t matter but in a case this week it did. The consequences are, in this case, not too great – but imagine it was health information, or credit card details. There is technology out there (and yes Symantec has some), which looks at the content of email and can prevent them going outside the organization – or rather can check if that is what you really meant to do.

Content based classification and automated policy management is available today and can solve the problem of ‘the wrong Dave’.