Insider Threats and How They Can Be Mitigated
Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.
Tue, October 15, 2013
CSO — Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.
Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.
The respondents were likely fearful, at least in part, due to what they had been hearing about in headline news about data breaches and insider threats, said Vormetric CEO Alan Kessler. He pointed to recent examples in Bradley Manning and Edward Snowden, adding that many businesses are beginning to see these problems themselves.
Vormetric CSO, Sol Cates, meanwhile, said that enterprises are concerned about insider threats because they are realizing that beyond an employee going rogue -- as was the case with Manning and Snowden -- there is the idea of privileged users whose identities are being compromised.
"That's becoming another concern," said Cates, "this idea of unchecked privilege that these companies don't have enough controls around."
The report also indicated what specific types of insiders the respondents perceived to be the biggest threats, with non-technical employees with legitimate access to sensitive data accounting for 51 percent of the vote. Though it may not necessarily seem obvious at first, there are scores of employees that fit the description in question, including employees in HR, who often find themselves needing to interact with personally identifiable information (PII).
"The question is, do you have proper control over how they interact with this information?" asked Kessler. "But the technical aspect of controlling this kind of access is very hard, especially if you're trying to retrofit older systems."
Cates added that executives also fit the bill here, as their jobs are not technical in nature, but they often need access to sensitive information in order to do their job.
"That's the whole point of data and information, to make it usable." said Cates. He did, however, have one suggestion for mitigating such a threat.