Back again, because that insider threat has not gone away…
On Tuesday I started this short Insider Threat series with quickly setting the threat landscape and realising that protecting yourself from someone who would betray your trust is going to be very difficult. Outsider attacks are easy to understand and defend against. Do you want to protect your network from the internet? Get a firewall. Are you concerned about viruses, malware and ransomware? Get good anti-virus and a ransomware resilient back-up. (Colwill. 2009)
Do you want to make sure Fred in marketing does not take your customer information with him to his next job? Do we ask Fred is he going to do that? Do we ask Fred not to do it? HR will probably have a fit if you ask the first question, but it is not unreasonable to ask the second. Remember that the people you trust the most, have the potential to do the most harm.
Setting your information landscape
So what do I mean by that?
Here are some of the ways I set the ground rules at our companies (and at client organisations) as an early step in reducing the insider threat.
- Information is a valuable asset to the organisation, we all have a responsibility to keep it secure and prevent it being accessed by unauthorised people both inside and outside the organisation.
- I explain how we classify and segregate our information so we can make it available only to those who have a work requirement to access it.
- While accessing our systems and data people cannot use them for anything but the task they have been authorised for. What we want to avoid are situations like this: Police officer who misused force database to check records dismissed – Bristol Live (bristolpost.co.uk).
- Our most important – and so most secure – information is available to anyone who requires it for a legitimate job but is always managed by a senior member of our team and both the person using the data and their manager are accountable for the security of that information.
- Wherever possible, we monitor and log all our user interactions with our software and hardware.
- Your credentials are your own – never share them or you may be responsible for someone else’s mis-actions.
What we are looking for is buy-in from all the team, top to bottom of the organisation. If we are all working on the same side, it may or may not discourage someone from abusing our trust, but with everyone aware it will make it much harder for that person to get away with it. (Arsenault. 2022)
You have seen the carrot, now here is the stick
One more thing I always make clear is that in the event of someone misusing, stealing or selling information I am responsible for, I will always take the incident to the police and press for a prosecution under the Data Protection and Computer Misuse legislation.
Next Tuesday I have something different, we are going to look at how you may be helping a threat actor steal money from your company! Don’t worry though we will be back with the insider threat next Thursday.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Part 1 The Insider Threat – the threat landscape and the first steps… – CyberAwake
References
Arsenault, B. (2022). Microsoft publishes report on holistic insider risk management. Microsoft Security Blog. Retrieved 12 October 2022, from https://www.microsoft.com/security/blog/2022/10/06/microsoft-publishes-new-report-on-holistic-insider-risk-management/.
Colwill, C. (2009). Human factors in information security: The insider threat–Who can you trust these days?. Information security technical report, 14(4), 186-196.
