The elephant in the room

Gene Fredriksen, SC Magazine
Gene Fredriksen is the Global Information Officer at the Public Service Credit Union (PSCU)

We openly discuss and debate security technologies, but many organizations are reluctant to discuss the people-centric issue of insider threat. We are all aware of it, we inherently know the risk to our company, but yet the topic seems to be taboo in many organizations. Whatever your organization or industry, regardless of size or location, we all face the unpleasant reality that we are vulnerable to an insider attack. In an era of team-building and empowerment, most organizations are hesitant to talk about the insider threat because it means that one of our own trusted employees may steal the lifeblood of the organization. The reality is that regardless of your industry, the size of your organization or the type of business you have, the insider threat is a menacing reality. To compound the issue, job consolidation and downsizing in many organizations has resulted in a broader access to sensitive data by many of our employees. Most organizations are adept at knowing when an outsider attempts to access or steal proprietary data, but how do you sense data theft by an employee with legitimate access?

How prevalent is the issue? According to Forrester Research, insiders represented the top source of breaches over the last 12 months. Indeed, 25 percent of those participating in the study said a malicious insider was the most common way a breach occurred. Let's also acknowledge that insider attackers are likely to cause more damage than external attackers. The Open Security Foundation published data showing that while insiders were responsible for only 19.5 percent of incidents, those incidents were responsible for 66.7 percent of all exposed records.

Organizations need to do their part to deter intellectual property theft. It's time for the tough conversations. Involve all levels of management, HR and legal. Admit the susceptibility of your organization to the insider thereat and develop aggressive plans to guard your organization.

The FBI offers the following advice to get started:

• Educate and regularly train employees on security or other protocols.
• Ensure that proprietary information is adequately, if not robustly, protected.
• Use appropriate screening processes to select new employees.
• Provide non-threatening, convenient ways for employees to report suspicions.
• Routinely monitor computer networks for suspicious activity.
• Ensure security (to include computer network security) personnel have the tools they need.
• Remind employees that reporting security concerns is vital to protecting your company's intellectual property, its reputation, its financial well-being, and its future. They are protecting their own jobs.

At its root, this is a people and cultural issue. We can monitor with technology, but if we hope to fully address this threat we must develop programs that will change the way people think about their obligation to protect company data. Start having the hard conversations with senior management. You will find they are just as concerned with the “elephant in the room,” but may not have known a way to discuss it without violating company culture or seeming like “big brother.”

Further, use external resources to come in and talk about the insider threat. Additionally, take the initiative to help management understand that the insider threat is a pervasive problem that must be addressed. Bring the issue into the light and focus on culture change. The benefits to your organization are very real.

Subscribe to SC Magazine Each issue gives IT Security professionals and business owners knowledge about IT security strategies, best practices, government regulations and current information security tools.