25 Apr The Honest Truth to Insider Threat Security
Nobody wants to think they have an insider threat problem. But in any group you have at least one person that’s bound to drag you all down with them. Whether by accident, on purpose, through ignorance, or just bad luck—they will cause some sort of trouble that ends in bad things effecting you all.
If you don’t see that in your group, maybe it’s because it’s you. Kindly pass this guide over to someone else in your group.
The Honest Truth to Insider Threat Security
The honest truth is that you don’t have a problem. But you will. If there’s an inside and someone is in there then there’s an inside threat. The more people you have on the inside and the more ways they have of interacting with other people, especially people outside your group, then the greater your risk of the bad thing happening.
The question is when, not if. Don’t picture me hugging you as I say this.
The honest truth is that science can’t tell you when. At best, security has become a metaphysical thing where we feel and perceive a particular way because of or often despite the reality. We need to feel safe as much as we need to be safe and the insider threat doesn’t feel safe. Ever. If it did then there would not be an overwhelming number of horror movies of a group getting picked off one-by-one.
Society and Trust
The point of a society is trust. Without trust then a society is just a group of people giving each other dirty looks. So we develop this chemical satisfaction through trust that lets us be pretty much okay with each other being around (as long as we look, sound, or act like each other). It’s why social rejection and break-ups hurt for so long because it’s the same jonesing that drug addicts go through. And so it’s the oxytocin high we get in a functioning community or team that can smooth over the cracks or ignore them completely. Because—you know—buzz kill. Just thinking about an insider threat is a buzz kill.
This is tough love. Nobody likes to face that this can happen to their group, their company, or their community. Yet it happens. Science just can’t tell you when it will happen for you. Science can’t even tell you when you have security so don’t expect much from science here.
Science can tell you that insider threats make bad things happen all the time. “ALL” as in I raised my voice when I said it.
The good news is that there’s a lot of other groups out there it could happen to first. And if it does happen to you then you can be sure that you’ve got good coping mechanisms to deal with it. But do you have good enough security to minimize the problem; good forensics to figure out what happened; good incident response to deal with the problem; and good public relations plans to respond to the problem?
Does your company culture reflect the level of security you need? Security culture is not security awareness training. Security culture is like building management where security awareness is like painting a wall.
Does your security consist of a team of security experts or does it consist of making sure all your employees know the security fundamentals? By fundamentals, I mean for professionals which includes knowing where security comes from, knowing how to analyze an attack surface, and being able to match the right operational security controls to the right interactions?
Do you use security technologies for decision making support for your employees? Think of it as 2-factor authentication for people’s decisions—it doesn’t do the decision making for them but it makes sure it stays within the permissive boundaries by catching leaks, mistakes, and various bad ideas from sending each other passwords over e-mail to forgetting to strip meta data from public uploads.
Is anyone in the position where they need the team more than it needs them? It happens. Trust works best if it’s synchronous. When it’s asynchronous it feeds bad ideas of the kind that makes security solutions exist.
The honest truth is that you are not likely prepared. Because to be really prepared means stepping on the social conventions that makes you a good team. It means admitting that your team could develop dangerously deep, only-found-in-Florida type sinkholes, if it hasn’t already. And it means that you can acknowledge that some of the people you’re surrounded by may not really like being there.
Which is why it’s time to start taking action and finding ways to protect what you’ve built even if it means protecting it from the ones who helped build it. Which is a good thing. You can be sure that every one of those people would tell you face-to-face, that they also don’t want to see what they helped build be destroyed. Well, if they do want to see it destroyed then there’s your threat. Your welcome.
Most importantly, don’t pick inaction because of your own illusions. Things are not overall great for everyone.
The thing is, insider attacks don’t have to be malicious. They could be maliciously ignorant. Or maliciously indifferent. Or maliciously inattentive. Or not them at all—but an outside attacker in guise through manipulation or man-in-the-middle to act with the same permissions as your legitimate team member. All could have the same result.
The honest truth is that insider threat damages are like puberty: you’re not prepared for it, you’ll suffer through it for a long time, and you’re a visibly different person after it.
The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of Fortscale.