Speaking in Springfield, Illinois in January 1838, Abraham Lincoln told his audience that the greatest threat to America came not from overseas, but from the enemy within.
“At what point, then, is the approach of danger to be expected?” asked the President. “I answer, if it ever reach us it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher.”
The same might be said to be true about IT security. While most companies pay close attention to the external threats posed by hackers, cybercriminals and the like, they sometimes overlook that often the most dangerous threats come from inside their own firewalls.
I asked Andrew Walls, research director at Gartner, about the challenges posed to organisations by the threat of internal breaches of security by employees. Below is an edited version of his comments.
We often think of IT security teams preventing external sources from gaining unauthorised access into an organisation, but are there potential internal threats too?
Absolutely, and it’s really difficult for IT security teams to anticipate, detect, prevent and contain “friendly fire” by employees that could damage the organisation. This problem exists because employees need access to corporate information, systems and facilities to do their jobs. But this level of access also means they could potentially harm the organisation as they go about their daily tasks. As a result, it can be really difficult for your IT security team to detect inappropriate behavior. To make matters worse, business processes and computer systems are becoming more complex, so it is increasingly difficult to determine if an employee’s activity is good or bad. Put simply, complexity is the enemy of security.
IT systems are also myopic. They only control what they can see and only if they are told how to control an activity. Not so long ago, the only way most employees could get access to networked communication was through corporate infrastructure. Now, most employees have at least two Internet-capable devices of their own (e.g. smartphone and home computer) that access the Internet without corporate oversight. The migration of work processes into the cloud and other environments accessed anytime/anywhere means that the shortcuts and breaches can take place “out there” rather than on internal systems.
What can organisations do to decrease the probability of an insider attacks and decrease the impact of those attacks if and when they occur?
There’s no quick fix or simple security strategy because it requires both technical and nontechnical controls. Technical controls focus on data and computer activities, while nontechnical controls focus on human motivations and behavior. Nontechnical controls are critical because many insider attacks do not depend on technology. Theft of documents, photocopying confidential data and voice communications can all be used to damage an organisation. Some nontechnical controls are very effective, however.
Security awareness programs raise the overall level of employee security consciousness, and help to create a culture in which everyone is aware of security threats and the risks they represent. For greatest impact, organisations need to operate their awareness program as an advertising campaign that integrates traditional training with just-in-time guidance delivered over a variety of media, including social media.
Social psychology is also very useful. Humans unconsciously and consciously behave in a more secure fashion when the right stimuli are provided. Overt monitoring of activities and creating work environments that are designed to promote transparency stimulate greater compliance with the expectations of the organisation.
What specific actions should managers take regarding security?
Managers should force transparency within their organisations. Job rotation, segregation of duties, mandatory vacations, regular audits/reviews, periodic employee background checks, and prohibitions against personnel who are working on sensitive applications or in sensitive areas from carrying portable storage and other devices can all inhibit and expose illicit behavior.
A corporate culture that values self-policing and mutual oversight with clear rewards for detection of inappropriate practices integrates security control directly into the employee population. Keep in mind that a single illicit action by an executive that goes unpunished will destroy employee support for security.
What about technical controls?
Technical controls can be extremely effective at detecting and preventing illicit behavior as long as the controls know what to look for. New data loss protection (DLP) systems are content and context-aware and perform deep content inspection using sophisticated detection techniques that extend beyond simple keyword matching. As more business data moves to the cloud, DLP as a service has emerged.
Fraud detection tools identify illicit behavior by comparing user actions to a baseline of acceptable behavior. This technology is widely used in the financial services industry, with credit-issuing companies often employing neural networks to analyse an individual’s transactions.
Security information and event management (SIEM) solutions collect, collate and analyse information from sources throughout the enterprise to develop an accurate picture of activities and detect malfeasance. Monitoring solutions track user behavior inside and outside — such as on Facebook — to identify issues.
What else should organisations do to improve security from internal threats?
It’s critical that managers control access. Providing the right access to the right person at the right time is a critical capability for all IT environments.
But nothing is 100 per cent guaranteed to safeguard all of your assets. Preventing ‘friendly fire’ requires constant vigilance and a dynamic approach to technical and nontechnical tools. Humans are both the source of the problem and the solution. As a result, business and technology managers must work together to maintain an effective, integrated approach to motivating correct behavior and catching people when they break the rules.
Andrew Walls is a research director at Gartner. He will discuss IT security at the Gartner Security and Risk Management Summit in Washington, DC June 11-14.
Get alerts on Terrorism when a new story is published