July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags

Leave a Reply