“It’s not about 98% you catch, it’s about the 2% you miss” was the message from Mary Cleary, Deputy CEO of the Irish Computer Society speaking on Cybersecurity and Insider Threats at the recent European Security Research 2015 conference.
The three day event in Dublin, hosted by NSAI (National Standards Authority of Ireland) Ireland’s official standards body, was designed for high engagement linking up European security research with the community of First Responders in emergency and crisis management, cyber-security, experts in Big Data, international organisations, academic, standardisation and policy makers.
Introducing the theme “Cyber Security: What Threats Lies Within, How CEN Should Respond” Mary explained that an insider threat, as the name suggests, comes from those within an organisation such as employees, contractors or business associates. All have inside information concerning the organisation’s security practices, data and computer systems. According to a recent US survey of 500 cyber-security professionals it is in fact managers who pose the greatest insider threat. (Source: CIO Insight Magazine http://www.cioinsight.com/security/slideshows/why-insider-threats-are-inevitable.html)
This is not necessarily down to malicious intent, but rather privileged users who accidentally expose data or who access credentials or computers have been compromised by an outside attacker, again because of ignorance or carelessness. A malicious insider threat to an organisation is a current or former employee, contractor, or other business partner who has or had authorised access to an organisation’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems.
Insider threat motivating factors may include personal factors such as job dissatisfaction, personal vendetta, and disgruntlement leading to anger or revenge or family issues. An organisation can do much to limit these factors such as fostering good employer-employee relations and implementing pro-active and positive HR policies.
It’s absolutely critical that the organisational factors such as systems security, lack of policies around teleworking and remote access, open networks and lack of education are addressed. Less than half of respondents in the same survey said they had appropriate controls in place to prevent and insider attack.
The rise of the Internet of Things (IoT) continues with Gartner predicting 4.9 billion connected things in use next year, an increase of 30 per cent from 2014. We can expect that security issues surround IoT will also gain traction due to the fact that these devices are not inherently secure. Organisations will need to be increasingly concerned with who manages and operates these devices.