Employee benefits: Stemming the insider threat
Employee benefits: Stemming the insider threat

A smarter worker is a more secure worker, says Theresa Masse, Oregon's CISO. Dan Kaplan reports.

Information security is a challenge across industries, but arguably no vertical has more personally identifiable information to protect than government. In fact, government agencies typically are swimming in the confidential data of the large numbers of taxpayers who they serve. But that's where a delicate balancing act comes into play, because, often, government workers' jobs center on interacting with the public and responding to their requests for information.

“That's why state government is here, to serve the people of the state,” says Theresa Masse, CISO of the state of Oregon. “We want to be helpful. We're here because of their tax dollars. We want to make sure we're giving the highest level of service that we can. [So] people tend to be helpful. [But] it's important to realize that when it comes to confidential information, we have to be careful what we're giving out and who we're giving it to. We have a responsibility to protect that information.”

Masse, 59, who has served as Oregon's security chief for the past seven years, says that because government employees tend to share personal information with citizens more than most organizations do, the threat of an insider-caused breach is ever-present. And with 58,000 employees operating across 110 agencies, boards and commissions, it's easy to understand why Masse views the Beaver State's workforce as the first – and often, last – line of defense against breaches.

And the threat doesn't merely reside in Oregon state employees' handling of sensitive information – such as data related to unemployment or welfare benefits – but also in the possibility that their actions may open the door to an external adversary.

It's not that far-fetched a scenario. In October, hackers raided the bank account for the city of Burlington, Wash., making off with $400,000 after city computers were compromised to steal login credentials. The heist hijacked the direct deposit account information for a large number of municipal employees, and the perpetrators' identities remain unknown.

As such, it takes just one hacked endpoint for a financial disaster to be set in motion. And with attacks becoming more sophisticated and so-called disruptive technologies, like social media, mobile devices and cloud computing, becoming commonplace, attacks that succeed via the mistake of an employee are more of a reality than ever.