How much time do you spend defending against external security threats? Probably a lot, right? But if you’re not as diligent regarding threats from users with legitimate access to your network, you may be setting yourself up for a breach in your own backyard.
Insider threats have proven to be the downfall of one of the U.S. government’s most secretive and presumably secure intelligence agencies. First it was contractor Edward Snowden’s 2013 breach of the National Security Agency and exfiltration of possibly 1.7 million documents, many of which were subsequently leaked.
Then it happened again. In August 2016, former contractor Harold Martin was arrested and charged with possessing terabytes of data lifted from the NSA. And, he may have been illicitly lifting data since the mid-1990s.
Who do you trust?
“The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company’s walls, but you forget sometimes to have a program where you are watching those who you trust,” says John Carlin, assistant attorney general for national security.
Many enterprises are woefully unprepared to deal with the insider threat. “Everything we know about defeating the insider threat seems to not be solving the problem,” a report for the Cloud Security Alliance (CSA) bemoans. “Today’s employees work with a number of applications and, [through] a series of clicks, information can be [either] maliciously [or] accidentally leaked.”
A survey underlying the CSA report finds, surprisingly, that over half of respondents think that very little data is being exfiltrated. And close to a third of respondents think that data exfiltration is not happening at all. That confidence is likely unfounded.
Willing to sell passwords
A survey of 1,000 workers, conducted for SailPoint, finds that many employees poorly manage their passwords. This survey also found that 1 in 5 respondents say they’d be willing to sell their password to a third party.
“We will never eliminate the human element or the risks associated with individuals that make bad decisions, either by mistake or for personal gain,” writes Rackspace CSO Brian Kelly.
And it’s not for lack of desire, necessarily. “The impediment for many companies, despite understanding and embracing the challenges and obligations outlined above, is they do not have the skilled and experienced resources available to effectively counter the threats,” Kelly pointed out.
Don’t be complacent
As companies increasingly turn to cloud services, they may be letting down their guard. “Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud,” InfoWorld noted in a story on cloud security threats.
It is the responsibility of every organization to be proactive and to develop the capabilities to remediate threats as soon as they occur. Begin with the assumption somebody has gained access to the network and is doing something malevolent. If your organization doesn’t have internal resources, it’s time to pull in a service provider that has the expertise to counter a threat before it impacts the business.