Danger within: The inside threat
Danger within: The inside threat

Every business faces the possibility of external attacks, but another potential threat is on the premises, reports Dan Raywood.

The biggest difference between insider and external threats is that while businesses are often equipped to deal with the latter, they tend to be left wanting when it comes to monitoring and detecting unusual or suspicious employee behavior.

A recent poll of 300 IT decision-makers conducted by UK-based communications security company Clearswift found that 83 percent of respondents experienced a data security incident in the past year. Interestingly, 58 percent of these believed an insider was the culprit, while seven percent laid the blame at the door of former employees.

 “Look at the statistics on data loss – only seven percent of it comes from misuse, which could be someone doing something they shouldn't, or theft,” says Chris Cheyne, senior consultant, cyber security division of investment and advisory company Salamanca Group. It is not always about volume, he says. The reality is that while an opportunist might hack into a network and pull data to analyze later and try and sell, if they deem it valuable, the insider has access to what they already know is high-value information.

In truth, experts say, the insider threat should be as big a concern for businesses as the threat posed by external hackers, if not bigger, because it is so hard to spot and stop. 

In early June, the whole insider threat concept was blown open with Edward Snowden's revelations about the U.S. government's monitoring campaign and its data-gathering Prism program. Aside from raising questions about the morality of such state surveillance, Snowden – a systems administrator assigned to the National Security Agency by government contractor Booz Allen Hamilton – exposed how powerful one individual could be in the face of the world's biggest superpower, arguably bringing the reputation of his employer crashing down in the process.

The federal government did seem to be aware of such a threat. Last November, President Obama issued a Presidential Memorandum on minimum standards for executive branch insider threat programs, where he authorized the development of programs within departments and agencies to “deter, detect and mitigate actions by employees who may represent a threat to national security.”

Little was the president to know what was to come, but his memorandum was obviously ineffective against Snowden's disclosures.

Threat to society

Looking at the Clearswift research and the Snowden affair together, it would appear that while insiders pose an enormous threat to organizations, awareness of the task at hand has perhaps never been higher.

James Gosnold (left), a CSO in the central government business area of Fujitsu in the U.K., believes that businesses have always been paranoid about the insider threat, and says his company has always put stock in managing privileged user activity. “In getting people to look at what is coming out of systems, you can see what the trusted users are doing,” he says. “If anything, episodes like Snowden and WikiLeaks have given me ammunition to reinforce those key messages.”

Gosnold has worked with the U.K. government and claims it is prepared for whistleblower-type scenarios within its secure policy framework and recognizes the importance of trusted users.

He refers to the “security triad” of confidentiality, privacy and integrity when discussing strategies to deal with insiders. The first concept is the most important, he says, and it is vital to have an audit trail of who has accessed what and when. “Security clearances are a key control in government and remain so,” he says.

For Gosnold, minimizing the insider threat is a case of going back to basics by remembering the security principle of separation and segregation of duty. “I have given talks before on having an active security monitoring program, and it is easy to make a case,” he says. “It is not about exceptions and users who fail to access files or logon, or suspicious activity – sometimes you need real people sitting down to look at the ports and pick out unusual activity you might want to question.”