In continuing to focus on IT security related topics, in conjunction with National Cyber Security Awareness Month, it makes sense for businesses to stop and “look in the mirror.” While there is tremendous attention given to the outside security threats such as hackers and advanced persistent threats (APTs), the potential damage that insiders can do is sometimes overlooked. And, according to experts, while the threat may be technological, the solution is at least partly “human.”
For instance, the CERT Division of the Software Engineering Institute at Carnegie Mellon University has recorded more than 700 insider threat cases since it began surveying companies in 2001. And those are just a small minority of the total insider threats. For service providers, the insider threat is not only a matter of taking care of operations but also of ensuring their business reputation.
According to M. E. Kabay, PhD, a Professor of Computer Information Systems, at Norwich University, it is vital to look at both regular, permanent employees and at those hired temporarily. Even outside vendors that have access to facilities or systems need to be scrutinized. As with other kinds of crime, Kabay says there are some people who are inherently honest, some who actively want to cheat the system and a lot of people in the middle who can get tempted if they think there is no oversight or that systems are lax.
What’s more, he notes, managers need to be mindful of attacks or breaches motivated in part by revenge. For example, an employee who feels underappreciated or undercompensated (not to mention insulted or wronged) may decide to abuse a position of trust, either for gain or simply to cause problems. In short, while MSPs are usually laser focused on hardware and software security, the human factor also needs to be considered.
Action You Can Take
Although the problem is somewhat diffuse and can be hard to address, the CERT website at Carnegie Mellon lists 19 actions within the Common Sense Guide to Mitigating Insider Threats, 4th Edition, that you and your SMBs can take to mitigate the threat. They range from simply documenting and enforcing policies and controls – or implementing separation of duties and “least privilege” -- to putting in place secure backup and recovery processes.
Echoing their broader “see something, say something” campaign, the FBI says when it comes to insider threats, organizations need to:
- Educate and regularly train employees on IT security or other protocols.
- Ensure that proprietary information is adequately, if not robustly, protected.
- Use appropriate screening processes to select new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor computer networks for suspicious activity.
- Ensure security (to include computer network security) personnel have the tools they need.
And, they note, companies should, “Remind employees that reporting security concerns is vital to protecting your company’s intellectual property, its reputation, its financial well-being, and its future.”
At the very least, MSPs need to be ready to assure customers that they are doing the most they can to protect data. Although a recent InformationWeek article lauded the security practices of providers, it notes, “Attackers will increasingly focus on finding ways to compromise companies' cloud services to gain access to the valuable data stored in those online systems.”