Indeed, it was because of this seeming lack of discussion and resurgence in chatter about scary insider security problems that we asked Lloyd Hession, CSO of BT Radianz, to speak at our own SC Magazine Forum in May. And it was he who crystallized the main reason to be concerned with insider threats more than the attacks launched from the outside by accused hackers like McKinnon.
The story goes something like this: Two men in a forest chance upon a bear. Quickly, one man begins slapping on his sneakers, mindful of his impending sprint. The other man looks at him incredulously, asking, "Why are you doing that? Everyone knows you can’t outrun a bear." The sneaker-clad gent responds, "Yes, I know, but I can outrun you."
The point: To ensure that a company doesn’t become the target of an outside hacker, the information security pro must implement best security practices that really are just challenging enough for cybercriminals to turn on easier prey. According to Hession, it’s all about outrunning one’s competitors to the degree that the bad guys find your systems too much work for the possible return they may get.
This, however, doesn’t really work with your end-users. After all, they and the security problems they may create — whether malicious or not — don’t go away.
And this challenge, says Hession, is only growing as access needs dictated by your business continue to make the network perimeter more porous; infrastructure changes continue evolving, introducing the likes of wireless LANs to your environment; and turnover of personnel increases.
So what to do? Companies must tackle the areas that are overlooked. Conduct background screening and enforce minimum duration vacations, says Hession. To him, it comes down to good security operations and strong HR policies and processes because, in the case of your insiders, a good pair of running shoes will get you nowhere.
Illena Armstrong is editor-in-chief.