Analyst says insider threat mainly down to lack of understanding

News by Steve Gold

"Privileged user management is central to enforcing security policies" says Bob Tarzey, analyst at Quocirca.

Following on from SC's earlier news on IS Decisions' report, which revealed that UK businesses are being hit by more than 1,000 internal security breaches every day, spoke to Bob Tarzey, analyst and director of Quocirca, the business research analysis house. 

Tarzey, who wrote the foreword to the aforementioned report - in which he said that the day-to-day internal security threats faced by most businesses are not down to malicious behaviour, but the misuse and poor use of IT – argues that the insider threat is primarily about employee's lack of understanding - or even stupidity - when it comes to using IT in a business environment.

"It really comes down to defending IT systems using security policies and ensuring that staff understand those policies," he said, adding that his observations suggest that Privileged User Management (PUM) is central to enforcing those policies.

PUM, he says, is all about setting controls on individual user accounts, and ensuring employees only have access to those facilities that they need to carry out their jobs.

Where Active Directory deployments are involved, he told, you cannot normally control things to this degree, which is where specialist security technologies come into play, as it allows management to tightly control all aspects of the employee interactions on a given platform.

"This goes all the way down to simple limitations, such as preventing two logins on a single user ID taking place at the same time," he said.

One of the most interesting features of security systems seen in recent years has been the use of automated warnings sent to users by the security software itself, rather than simply logging a given suspect security incident to management for them to take action.

This was first seen around four years ago when Check Point implemented the `User Check' technology in its security platform - where management were only alerted to minor employee security errors, after a number of automated email warnings - each rising in importance - are sent to the employee concerned.

The strategy behind the automated warning approach is that users will feel less threatened by a computer warning than they would if their line manager intervened in an action carried by the employee concerned.

Tarzey says this automated warning approach is an issue he agrees with, as people will take notice of an automated warning.

"This is something we see with DLP (Data Leak Prevention) systems all the time. Little warnings help a lot. We've seen around 30 to 40 percent of organisations actively deploying DLP technology today," he said.

Guiding employee behaviour, he added, is a good way of avoiding IT mistakes in an organisation, but the more insidious threat is the malicious attack, where a user's actions are clearly intended to harm the organisation.

Tarzey added that the problem with malicious attacks - as compared to mistakes - is that if any employee really wants to do something, they will go ahead and do it - even if the security software attempts to lock down certain aspects of their behaviour.

The good news, he told, is that 99 percent of security problems in most organisations are not down to malicious attacks, but employee misunderstandings.

As Tarzey says in his report foreword, the insider threat can mainly be mitigated with an investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews