Technology, process and policies have evolved to counter Insiders threats in organizations to a large extent but the new age threats from complacent, ineptitude, ignorant, change averse teams that work in silos and management apathy that builds such environments might still jeopardize them.
Following are a couple of definitions of ‘Insider Threat’ from globally well-known and trusted knowledge sources.
(Wikipedia) – ‘An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems”
(CERt.org) – “Insiders pose a substantial threat to your organization because they have the knowledge and access to proprietary systems that allow them to bypass security measures through legitimate means. “
Do these definitions cover the entirety of insider threat? Is insider threat limited to insiders with knowledge and access?
NOT at all, It’s time that the management particularly the CIOs, CTOs, CISOs take cognizance of the lurking insider threat not because of “who have inside information” or “malicious intent” or “knowledge and access to proprietary systems” but a growing workforce which is, “complacent, inept, ignorant, averse to change , working in silos and apathetic to the management”.
[quote font=”tahoma” font_size=”13″ font_style=”italic” color=”#262626″ bgcolor=”#f2f2f2″]
It’s time the CIOs, CTOs, CISOs take cognizance of the lurking insider threat from a growing workforce which is, “complacent, inept, ignorant, averse to change, working in silos and apathetic to the management”.
Lalit, Chacko
GM IT Infrastructure & Security Operations
IBM India
[/quote]
Gone are the days when an individual or group of disgruntled, troublesome employees with malicious intent are the only ones who could compromise/destroy the secure framework of an organization leading to financial, legal and brand image losses. Technology, process and policies have evolved to counter these to a large extent provided the new age threats do not jeopardize them.
Complacency
Individuals, both end users and technical resources should be “aware as well as embody” recommended best practices against potential threats. A complacent user, aware but not diligent in applying safety controls at the right time exposes the organization to external threat.
Example: The Windows’ Server Message Block (SMB) protocol vulnerability was discovered by Microsoft and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions but still The WannaCry ransomware attack began on Friday, 12 May 2017 exploiting this vulnerability and within a day was reported to have infected more than 230,000 computers in over 150 countries (wikipedia.org)
Ineptitude
Skill or knowledge enhancement is critical to efficient and successful delivery, more relevant for an Information Technology resource for whom the technology “diversity is increasing and life span is getting reduced” at an alarming rate. A resource who has not enhanced his/her skills is operating at a level much below what the role demands and is vulnerable to create a potential threat to the organization in the long run.
Example: In Woburn, MA on June 20, 2017, Kaspersky Lab announced a new “State of Industrial Cybersecurity 2017” survey, which found that over half (54%) of ICS companies interviewed have experienced at least one cyber attack in the last 12 months – with one-in-five (21%) experiencing two incidents in the same time frame.
The top threats that caused incidents were conventional malware and virus outbreaks (53%), then targeted attacks (36%) and lastly, employee errors/unintentional actions following in third (29%). Human error ranks higher than actors from the supply chain and partners, and sabotage and physical damage by external actors… usa.kaspersky.com)
Ignorance
Being Updated on Trends in the environment that you operate is a necessity in today’s fast changing digital world. An organization is at risk if its resources are not aware of the market trends on threats and remediation and they not willingly but can unknowingly compromise organizations information assets.
Teams working in Silos
The Information technology teams have diversified into platforms, tools, technologies etc. thereby creating silos of ownership, this often creates lacunae between accountability of one team to another. These ownership issues within and between teams are again a source of insider threat, as the control measures gets dropped and stays hidden in between teams.
Aversion to Change
Organizations and individuals need to constantly invest in new Technology, people and processes, which are more visionary than market leaders, as today’s market leaders were visionaries of the past. Rather than follow the leader approach the call of the hour is follow the change, this will determine how the organization is prepared against future threats. Any organization or individual, not investing on technology and skill are another source of insider threat
Management apathy
Leadership teams of an organization which tends to ignore the relevance of Information security and are riding on digitization wave with no/less prioritization of information security risks are another set of insider threat at the highest level.
Finally
To summarize while focus should be there to implement technology and process to prevent willful malicious threat that originates from an insider with knowledge and access, it’s more imperative that individuals and leaderships invest time and effort to mitigate insider threat arising from complacent, ineptitude, ignorant, change averse teams that work in silos and management apathy that builds such environments.