It feels like I’ve been writing a lot about the insider threat lately, but then again, it seems I read about a new incident caused by insiders almost daily. So much time, effort and money is spent on keeping the outsiders from getting to systems and data, but a comparatively little amount is spent on addressing, and trying to prevent, insiders from doing bad things. Folks who are trusted and have authorized access can do so much harm. The technologies focusing on the outsiders are not going to do much to protect your information from insiders.
Another recent example of an insider doing bad things was the subcontractor that physically damaged a computer aboard the space shuttle Endeavour.
The unnamed subcontractor cut computer wires in the shuttle, and also cut wire in a computer on the ground at the NASA facilities. While NASA indicated the damage would not have put the shuttle or astronauts in danger, it is still troubling. What is even more puzzling is that the subcontractor notified NASA about the damage he or she did. What psychological motive was there in doing this damage? Perhaps vengeance followed by guilt? Probably something completely off the radar.
That is the great challenge of addressing the insider threat. The psychological motive is so hard to know; a completely unforeseen event can trigger an insider to do something bad.
This makes training and awareness that much more important. Technology alone cannot detect and prevent the bad things that trusted insiders can do. You need to enlist the eyes and ears of all your personnel so everyone will know the signs and red flags that could indicate someone is doing, or is planning to do, something bad. You also need to instill into trusted personnel the reasons why they must follow policies, and what the consequences will be for noncompliance. Just knowing that someone is watching will deter some of those prone to doing bad things from following through with those actions.
Tags: awareness and training, Endeavour, Information Security, insider threat, IT compliance, NASA, policies and procedures, privacy, risk management, third party security