Insider threat: It's not just about the malcontent anymore


I sat down recently with Steve Durbin, managing director of the Information Security Forum (ISF), to discuss the threat that insiders pose to organizations and what can be done to stop them.

The insider threat has become top of mind for many IT security pros. The workforce has become more mobile and connected. Most workers have multiple devices, so there are more avenues for compromise of corporate data.

In addition, the information security profession has traditionally focused on securing the corporate perimeter and has not given as much attention to the insider threat. But that is beginning to change as loyalty between employer and employee erodes.

Durbin stressed that the insider threat is not limited to malicious insiders; negligence and accidents account for a growing proportion of incidents. He identified three types of risky insider behavior for enterprises to guard against: malicious, negligent and accidental.

Durbin recommended that enterprises take four key actions to combat all three types of insider threat. First, firms should assess what the insider threat might look like and determine how sensitive information is being handled inside and outside of the organization by third parties.

"When we talk about insiders, it does mean anyone you welcome into your corporate environment. It doesn't necessarily mean physical presence onsite. It could mean you are inviting them into your corporate network because they have a legitimate role to play in terms of providing an outsourcing service or monitoring your network, for instance," he said.

Second, firms should examine what technical and management controls can and should be put in place to safeguard data, such as identity and access management, data loss prevention, event logging, and the ability to wipe mobile devices should they be lost or stolen.

Third, companies should assess who should have access to what information and what privileged access controls should be put in place. "Not everyone needs to have the same level of access," Durbin stressed.

Fourth, while technical and management controls are necessary, they are not sufficient; organizations will also need to foster a culture of trust. "This is about being transparent. It's about being explicit; it's about explaining to people how you are going to deal with data integrity and protection of information," the ISF official related.

"It is about making sure that you have a trust-based culture that says, 'We are providing you with access to sensitive information, these are the terms upon which we are doing it, and this is how we are going to protect that information,'" he explained.

These four actions are about discouraging the malicious insider, reinforcing policies for the negligent, and limiting opportunities for the accidental insider, Durbin concluded. --Fred, @FierceFred1