Ask a network manager about security and you can almost be sure their answer will be about protecting against viruses, managing data loss and dealing with misplaced hardware. But now network managers are more aware than ever of the security risk that insider threat poses. That rogue employee, who is on the hunt for confidential information is now as much, if not more, of a security risk as a cyber attack.
Recent revelations that Edward Snowden convinced his colleagues to share passwords with him to gain access to classified files has put insider threat back into the centre of business' security agendas. Using social engineering to gain the passwords for access to other users' accounts is a basic hacker trick, and not one that employees at the NSA should have fallen for. But the practice is far from uncommon; many companies share details regularly without realising the risks it poses.
The problem is most organisations rely on the good will of staff not to share their passwords, with little in the way of education about the risks and responsibilities. Every company has a detailed set of rules about not sharing passwords that are set out in the employee manual. But what happens in reality is if there is a culture of sharing, new recruits will follow suit and happily divulge their details to whoever asks.
It is often the most senior employees with privileged network rights and access who are most likely to expose corporate data by passing passwords around, in order to delegate work, or to share with other senior employees.
In addition, today's mobile workforce, often using their own devices to access the corporate network from any location, only exacerbates this situation by making access control more complex. According to the International Data Corp the mobile workforce will surpass 1.3 billion people by 2015 representing 37.2 percent of the world's overall work force, as more of us make the move from office building to working from home.
For this reason, companies need to clamp down on concurrent users. That way, employees will think twice about sharing details, as they won't be able to get on the system if someone else is logged in too.
By deploying a solution that actively manages concurrent users, organisations can control user access, permitting or denying logins at a certain time, location or device.
To the user, password sharing might seem like an insignificant risk when they have a job to do, and this is not something that can be addressed with technology alone. Users must know the reasons why it is such a risk and the potential consequences, and it is part of the IT department's role to educate them in that. As a naturally security hyper-sensitive organisation, the NSA reportedly took 25 employees off the job for breaking security rules in the Snowden case. To an employee in another organisation who thinks they need to share their password occasionally, this might seem harsh, but the reality is that the sentence matches the crime given the risk these employees exposed.
Technology is key to decreasing internal security threats, but so is user education, so it's important employees understand the risks.
Contributed by Francois Amigorena, CEO of IS Decisions, which works with the FBI, the United Nations and Barclay's to prevent security breaches and ensure security compliance.