The RSA's chief security architect, Rashmi Knowles, warned the audience at RSA Middle East today of the looming threat of the insider.
While many continue to focus on the bounty of malware that lurks within the filthy corners of the internet, insider threats are becoming the bigger problem, she said.
The major breaches of recent memory had an insider at their heart: Morrison's was breached by a disgruntled employee; the Sony hack cost the entertainment giant much of their credibility at the hands of geopolitical cyber-censors, largely enabled by a sympathetic insider; the hack on Target was carried out through the air-conditioning company working for the big box store.
The Insider is hard to ignore – even if they aren't easy to see.
Insider threats, classified as those insiders “who maliciously or accidentally do things to put an organisation and its data at risk” can be many things and come from many angles. The prevalent suspicion that this risk comes from outside contractors – with unjustified but overlooked access to important parts of a company's network – is wrong.
It's actually the employees that are the biggest threat. Whether through malice or stupidity, “the weakest link in the chain is all of us”.
A recent Verizon data breach study reported that human error was at fault in 66 percent of all breaches. “If you think about an advanced attack, the weapon of choice involves a human being," said Knowles, reminding the audience of the common theft of credentials through phishing and social engineering.
Those kind of mistakes are simple to those in the know, but perhaps less obvious to those for whom cyber-security is not a part of their job description. Educating employees on info security, so often boring, lengthy and of a one-size-fits-all variety, must be made effective by being simple and tailored to the position of employee being taught.
Those with the inclination, the opportunity and enough malice will get through. For the scientifically-minded, this can be put into a basic formula: Higher risk of malicious insider attack = intrinsic factors (like political/religious affiliation) + extrinsic factors (opportunity/access).
Organisations seeking to avoid this all-too pervasive vector can do things to mitigate the threat.
They can, for example, vet their employees using third parties for past religious and political affiliations. They can also rigorously divide data access among employees, making them responsible for the data involved in their job.
Incident response plans must be made, said Knowles, to incorporate the possibility of a malicious insider: “They typically don't exist,” she said.
In the case of a fire drill, all the employees know what to do – similar training must be put in place regarding malicious insider attacks.
Like so much of the field of cyber-security, there is no panacea for the problem of the insider. This “is not just a technology problem”, said Knowles, echoing her bosses keynote speech speech just an hour before. A recalibration is required: “We can't stop everyone – we need to focus on individuals and assessing information.”