Last year’s data loss debacle at Barclays – arguably the worst breach of its kind – and payroll data breach of Morrisons, the supermarket chain, highlights the difficulty of safeguarding data, even for organisations with considerable resources.
Clearly, high profile cases involving Chelsea Manning and Edward Snowden have only increased the perceived risks associated with disclosure and improper use of confidential information.
Although the causes of the Barclays and Morrisons breaches are not yet known, they do serve as a stark reminder that when it comes to security “people are the weakest link in all security strategies – whether by intent or human error” (Smith, J. 2013).
Every day, organisations and businesses face myriad security threats. One of the most insidious and perhaps the most difficult to mitigate is an attack from the enemy within: disgruntled current or former employees, contractors, consultants, even volunteers.
And there’s more at risk than data. The recent conjecture about flight MH370 focuses on the pilot and/or co-pilot hijacking the aircraft.
If this was indeed the case it spotlights one of the aviation industry’s biggest fears: a trusted employee with access to aircraft smuggling weapons or an improvised explosive, IED device on board.
According to air security expert Philip Baum, such a possibility exists in almost every airport in the world.
It has long been understood that an organisation’s people are its most valuable resource. Entrusted with a higher level of access and privilege than outsiders, employees, contractors, consultants and sometimes volunteers enjoy an understanding of an organisation’s business and operations and legitimate access to its assets.
The rogue employee chooses to abuse that trust and sense of common purpose to access and threaten their organisation’s assets, be they information, personnel or equipment, for personal reasons.
Such insider attacks or insider threats are tougher to spot, prevent or thwart than external threats as the perpetrators are friends and co-workers. Vigilance is all well and good but it’s hardly conducive to strong team spirit if colleagues are encouraged to be mistrustful of one another.
The insider might be an individual or member of a terrorist or extremist group or criminal gang who deliberately sought employment with intent to cause harm. Or it could be an individual who became disgruntled – for example, if they were overlooked for promotion or made redundant. Alternatively, external parties may have persuaded them to cause their organisation harm.
Clearly, the insider has considerable opportunity to cause their host organisation significant harm, not just resulting in financial losses but of assets, intellectual property, personal information, brand reputation, customers and, in the worst scenarios, of life.
To strengthen this inherent weakness in the security function, robust policies, procedures and systems are required.
If we are to alleviate the risk we must identify people with the potential to pose an insider threat and understand their potential motives.
The Insider Threat to Business, a security handbook published by the Australian government in 2010, uses a CRIME acronym as a useful aid memoire in understanding the motives of the enemy within:
- Coercion – being forced or intimated
- Revenge – for a real or perceived wrong
- Ideology – radicalisation or advancement of an ideological or religious objective
- Money – for illicit financial gain, and/or
- Exhilaration – for the thrill of doing something wrong
However, not every employee with a grievance plans to commit a malicious act against their employer and damaging acts aren’t always deliberate or wilful.
Lack of training, carelessness or negligence often account for ‘accidental’ threats posed by hapless individuals with no axe to grind. Employees often make themselves and their organisation vulnerable by misusing social media.
If an organisation approaches security policy seriously during training the risks would be much reduced, as the employee would be aware of the consequences of damaging behaviours.
A personnel security policy defines sensible control measures, the processes and procedures that facilitate the management and minimise the risk of an attack from within.
Caution, it’s all in the security risk assessment
Nowhere are these safeguards more important than an aviation industry where the stakes are high and the risks of losing lives great.
But as dramatic as high profile insider data leaks have been, research suggests that only a small percentage of data breaches involve insiders; 86% emanate from external sources.
And the vast majority of insider-led breaches occur within 30 days of the employee declaring their resignation.
It is, therefore, self-evident that a personnel security policy is only one part of the security picture. As repeatedly proven there is no substitute for adopting solid risk management programmes that address multiple risk factors. To do otherwise could prove a costly mistake.
This article was first published on IFSEC Global at: http://www.ifsecglobal.com/mh370-disaster-morrissons-breach-raise-spectre-insider-threat/