Insider threat finally getting the attention it deserves

Well, it's getting attention in the media anyway. Here are a few good write-ups on this topic that I've seen in the past couple of months:

This increased buzz seems to be fallout from the Target incident, which was (in case you were wondering) an insider breach. If a vendor's employees have authorized access to their customer's network, then they need to be treated as insiders when it comes to assessing risk. And, as with any insider risk, the threat isn't necessarily malicious. It can be the result of negligence, oversight, or innocent cluelessness, which is what I suspect was the case with Target's HVAC vendor.

In any case, it's good to see awareness being raised in the industry about this vital topic. Although, of course, that's not the same thing as effective action being taken. It's easy for outsiders to talk about someone else's insider threat. Just like what I'm doing here in this blog. But once you get inside an organization, everything changes because insider security on your home turf is, by nature, an intensely uncomfortable issue. And on your home turf is where it actually counts.

A very common experience of security teams is that of fruitlessly trying to get their top management to behave in a secure manner. They may get lip service for their suggestions easily enough ("We absolutely have to have strong internal security. Make it so."). But more often than not, that's where it stops. You may succeed in putting an internal security policy in place, and you may even succeed in strictly enforcing it. But only for lower level staff, which for all intents and purposes means you might as well not have the program at all.

Any security professional who's had to deal with this issue will be nodding vigorously right now. Top execs have things to do, places to go, etc. They're some of the busiest - and very often not the most patient - of individuals. So there will be a security policy: maybe mandatory multifactor authentication on company mobile devices, or no downloading of personal software on company machines, things like that. This slows them down and annoys them to distraction, so the first thing they'll do is opt out of the policy.

An even stickier problem in internal security is big egos, of which I've never found any shortage in the C-suite. This is where the discomfort factor really sets in for the security team. There are those who see security controls as an insult, something that's below them, and if they happen to be the boss, you can forget about getting them to play. "Are you implying that I can't be trusted?" (... "No, of course not Mr. Madoff, I wouldn't dream of implying that.").

A third issue is unhappy employees. If it's true that 2/3 of IT employees are ready to walk out the door, then clearly there's an implication there for internal security. I don't want to start a lengthy discourse on management best practices here, so all I'll say for now is: having happy employees is one of the most powerful security controls you can possibly put in place. And having unhappy employees is not only a major security risk, but a major risk to your organization's viability.

Security in an organization only works when it's led by example from the top. It's just like parents telling their kids not to smoke. If they smoke themselves, good luck with that. Also, security only works when everyone in the organization participates. People will do anything and everything to defeat a security control that inconveniences them, unless they are personally bought in to it. To buy in, they have to understand why it's there. How often have you had to deal with a new security policy or control in your work environment, where no explanation was given? How did you feel about that? Did you try to figure out a work-around for yourself?

Effective security is every bit as much about leadership and organizational culture as it is about encryption and authentication. Nowhere is this more true than in dealing with the insider threat. And the C-suite is where organizational culture is generated and the overall tone set ... much more so than the CISO's office. Think about it: where are the company secrets discussed the most? On whose laptops and mobile phones are they stored? Where are spearphishing attacks commonly directed? However, because of the factors noted above, the C-suite is the place where, more often than not, internal security gets swept under the carpet.

So, as a security professional, how do you get your bosses to give you that crucial support? Here's one approach. Ask them to consider which of the following is more costly: (a) changing your procedures and living with some level of inconvenience (noting that just about all security is inconvenient by nature); or (b) dealing with the reputational and financial damage that we've seen results from a major security breach? The negative press coverage, the possible lawsuits, regulatory fines, loss of customer trust, and drop in share prices ... all of which have happened in recent, real-life security breaches.

Awareness is good: it's the first step in making any change, and it looks like that's starting to spread when it comes to the insider threat. To follow through and make change actually happen ... for organizations to get back ahead of the curve on security, every one will have to get outside of its own comfort zone, starting at the top.