If you read the headlines on any given day, you will inevitably run across an article that details a breach of a major company. The details of the breach have a common theme. A user clicked on a link (think of phishing, ransomware and even insider threat – a dropped USB plugged into a laptop/desktop) or the hack came from an insecure configuration within an appliance. The human aspect of these breaches is ever present; whether it be clicking a link or just an employee allowing someone to piggyback into a secured area.
If you recall the Target breach it was due to a third party plugging into the network whose device was compromised and the bad actors were able to pivot from the device and crawl across the entire network. This risk could have been greatly reduced if not eliminated had the company not allowed any non-company issued devices on the network. But that’s hindsight for you…always 20/20.
As security practitioners what should we worry about? I remember my old boss asking me ‘what keeps you up at night?’ Other than insomnia and indigestion? My immediate response was insider threat. Why? Because I can have ALL the technology protecting us from the evils outside of our perimeter, but what do we have protecting us from ourselves? Annual security training? Phishing campaigns that most users are used to but still end up clicking on? What about monthly in person training? Employees are engaged for the 30 minutes to an hour you are talking to them and then go back to their desks and forget everything.
Now with company emails being delivered to their phones this is happening more and more. One of the reasons I continue to hear even after doing phishing campaigns is ‘I opened it on my phone…that shouldn’t count’. The reality is the bad guy does not care whether you open it on a phone, laptop, tablet, or desktop. They just want you click on a link to take over your device and if you are unlucky your network.
So, what is the answer? There is not a silver bullet you can apply to insider threat, only constantly being vigilant – this could even mean looking at your office culture with an open mind and see if your employees have lost motivation or even disgruntled. One of the biggest reason’s employees lose interest in their work is when leadership has lost interest in them. Do you have one on ones with your employees? And if you do, do you listen to their concerns and take appropriate action?
My biggest success has been to be constantly talking to people and throwing a security tidbit into the conversation – remember the adage of ‘leave them wanting more’? In this case this is the best way to throw a security concept into everyday conversation. Want to know more? Let me know and I’ll put something on your calendar.’ Involve managers, supervisors, c-suite get to the top level. You will need to spend time away from your desk and get to know people. Tone at the top is vital in success especially when it comes to security and employees. They will not care if the leadership does not.
When it comes to employees always remember less is more. Give them small chunks of information not a 500-page presentation that takes 3 days to deliver. Inevitably the human aspect of security should always be on the forefront. Technology is made to protect ourselves from an outside threat and we are great at getting the latest technology to protect ourselves from the latest threat. But are you protecting yourself from an internal one too? My guess is you are trying and if you are not my advice to you is that you should start by investing time into doing just that.