From the Poneman Institute 2012 Confidential Documents at Risk Study
“70% of respondents say that employees, contractors or business partners have very frequent or frequent access to sensitive or confidential documents, even though access to this information is not a job or role-related requirement.
59% say their organizations’ controls are ineffective at monitoring employees, contractors or other insiders who access these confidential documents. An even higher percentage (63 percent) do not believe they are effective at assigning privilege to employees, contractors and other insiders whose jobs or roles requires access to sensitive or confidential documents.”
It’s called Insider Threat.
A recent Telegraph article highlighted an area that security experts have been talking about for some time – insider threat. It highlighted the vast increase in the level of fines that the Information Commissioners Office (ICO) year on year, from £431k to £1.8m. If this were a private sector business’s turnover, they would be delighted. But it isn’t, each one of the 68 warning notices that this figure represents is a failure of an organisation to safeguard the data it holds. Sometimes that data is client or employee data; sometimes it is that of the general public. It was data that should have had appropriate security around it to ensure its safe management and when necessary, destruction – in line with the Data Protection Act.
The temptation is to hang your hat on hackers being responsible for data breaches. Of course, sometimes they are. But sometimes the threat comes from within an organisation or business. This may take the form of a deliberate and malicious act of data theft, possibly for monetary gain (I am thinking about the theft of credit card details – a cottage industry http://www.cio.com/article/712741/Project_Monitors_Price_of_Stolen_Credit_Card_Data_in_Real_Time) or they may be a number of errors/lapses in adherence to security policy or just plain daft behaviour.
When it comes to securing information everything has to start with a comprehensive grasp of the real risks. Part of that has to come from insider threat. Having a robust security policy that has total management buy-in is a vital. Testing and reviewing that policy regularly is another must, but if it basically sits on a nice shelf doing nothing but gather dust all year, it is pointless. Getting the policy out and educated through an organisation is crucial.
If staff recognise that they are part of the problem but even better, part of the solution, then everyone starts to take responsibility for security. This is how it should be but sadly for too long security has been seen as the responsibility of the IT manager in many cases. Of course the IT manager has to be involved, but so does everyone else. IT and technology based solutions like firewalls, will only work so far. In other words if a burglar is already inside your home, having a plate steel front door won’t stop theft. A firewall will not protect a business from someone who downloads thousands of sensitive documents onto a USB then leaves it in a taxi. Wouldn’t having a policy which states, USBs are not permitted or that encrypted USBs are permitted to appropriate staff members be better?
Security training is a vital area that needs to be addressed at boardroom level. More and more we are seeing security and security training fall into the FM basket. As it is a growing trend, business needs to address the resources allocated to FMs to ensure that not just the perceived threat of hackers is addressed but that of the insider threat.
First published in Tomorrows FM (Aug 2012) and reproduced by kind permission of the Editor.
Since the original publication of this article and blog a serious Insider Threat style data breach has occured at Toyota. A fired employee has managed to gain access to some sensitive data (unconfirmed reports say potentially pricing, parts spec, quality testing and and design), not only have they accessed and downloaded it they have also sabotaged systems. The story is here http://www.theregister.co.uk/2012/08/29/toyota_disgruntled_contractor_hack/