Snowden's forgotten legacy - highlighting insider threat
People have always been a potential security risk. They're renowned for letting sensitive information slip, either knowingly or accidentally.
Despite this, trust is inherent in human nature and necessary in business, including in security. Gartner security analysts illustrated this when speaking to senior IT managers at a London conference earlier this year.
“97 percent of people want to do the right thing so why treat them like the criminals trying to attack us from the outside?” asked Gartner analyst Tom Scholtz.
There have been huge efforts to reduce this risk, not least in business where the loss of sensitive data – financial or personal records or intellectual property – can result in competitive disadvantage, regulatory fines and brand damage.
In the past, businesses have tried to counter this threat via an assortment of first and second-stage interviews, further staff vetting and even polymorphic lie-detection tests.
But the emergence of digital information has created a catalogue of new problems for IT teams and their information security counterparts. The avenues for data loss have increased exponentially, and this vast new attack surface has made data an appealing target for disgruntled or opportunistic staff.
Once the worry was physical data- missing files, folders and floppy disks. But now information security professionals have to guard against information that can be passed from person to person in the blink of an eye via email, cloud storage or social media. In the future, information could be captured discretely with wearable technologies such as Google Glass.
Proactive companies are pushing to tackle the issue; there have been gentle reminders on password advice, new threats pasted on office walls and intranet systems, tightened access controls to sensitive parts of the network and - in some cases - ‘gamified' security awareness training schemes and new technology to seek out unusual behaviour.
But Snowden's leaks have shone a spotlight on rogue staff - otherwise known as the ‘insider threat'.
Snowden, lest we forget, was a former systems administrator for the CIA and a counter intelligence trainer at the US Defense Intelligence Agency. He went onto work for Dell as a contractor in an NSA outpost in Japan and was at one point thought to be the agency's encryption guru.
Questions have since been asked in the enterprise world; how do you come to trust your employees? And how do you stop data leakage in a world of Snowden, Chelsea Manning and ubiquitous internet connectivity?
Businesses are still working through these problems. A joint study between Vormetric and research outfit Ovum back in April revealed that just nine percent of European organisations felt safe from insider threat, while another from OnePoll and LogRythm concluded that more than half of end-users have accessed or taken confidential data from their existing company.But perhaps most worrying of all, the latter study showed that 20 percent of employees had been caught accessing confidential data and yet two-thirds of their bosses simply ‘had a word' to tell them that they had done wrong. A substantial one in four (25 percent) said that they received no punishment.
A further 40 percent of people admitted to having used their old passwords and usernames to access information at their previous company.
Technology changes are afoot
Despite Snowden's leaks; few organisations appear to have the right controls in place to monitor the insider threat.
In June, Bit9 + Carbon Black published a survey in which UK IT decision-makers cited disgruntled employees (61 percent) as the third most likely attacker against their organisation, behind hacktivists (86 percent) and cyber-criminals (77 percent), and yet 61 percent of these rated their ability to detect suspicious activity on the network as ‘no better than average'.