The term insider threat is brandished around quite a lot these days, companies often talk about the weakest link in security being people. I guess they are almost right in what they say, but I can still dream about the world in which people can actually be one of our biggest strengths.
The typical company sees the classic insider threat as that ‘temporary worker’, angry with society and dismayed with their current job prospects. Or even Barry that snappy salesman that has your client list and a past record of upping sticks and finding new employment. This is the problem we currently have. Our perception is all wrong, we are blind to the fact that human emotions can change on the spot and that one malicious or accidental act can see your data shipped out the door via USB’s, Emails, DropBox… even my own perception of how the data is leaving the building is wrong. It’s 2016… people don’t have to do this anymore – you’ve given them access to SalesForce at home, they can screenshot their own mobile device – hell, they could just jump on the VPN whilst on holiday. We’ve made our data so accessible.
The whole situation needs policing. So you might think the actual police would be a good start to look for inspiration. Whilst the readers of this blog might be small businesses unsure of cyber risks, or IT managers that are unable to meet the absolute optimal conditions for safe, trusting staff within their organisations. The police forces in the UK are quite different. They have a rigorous induction process, extensive application covering financial risk, background checks, employment history reviews. If you pass the physical you will then be taught the law to a high standard. Short of the military, it’s about as tough as job applications get! Well, a recent paper on police data breaches seems to suggest that despite this, the typical insider threat risk is actually just as high.
I had the pleasure of speaking to Dan Nesbitt from ‘Big Brother Watch’ about his recent research, the statistics speak for themselves. The police commit 10 data breaches every week and these are only the reported ones.
It’s easy to go down the line of bashing the police, it always seems societies problems are pushed somehow to their feet. On a personal level, I have them to thank for much of the positive changes in my own life. We can still use the data and take from it some key findings.
- The policy isn’t working – Forget that little document you had your new starters glance over before signing. We are talking Policy in general, the police don’t just read a policy, they are formally educated in right and wrong. It has little or no effect on the end result – a human, who wants to do something doesn’t stop to consider a 22-page document. We are passionate people that live in the moment, we are sometimes reckless and we have flaws. Even if we follow the process when something has gone wrong and we wholeheartedly believe in policy, nothing happens. From 2,315 reported police data breaches only 70 (3%) resulted in any kind of criminal conviction – normally a caution. What’s the point of having rules if rule-breakers aren’t penalised?
- We need to change our attitudes to cyber crime fast – Just forget insider threats and the report a second, from recent ONS crime statistics we find that our online criminals face a less than 3% chance of getting prosecuted if they commit an online crime. Although shockingly low, it’s understandable. Encryption, TOR, general access to anonymising tools and a growing sophistication is sure to impact on how many bad guys we catch. But going back to the Big Brother Watch report we find a similar figure for completely logged and tracked police officers. There is no TOR, these people are on the electoral roll and we gave them employee credentials. Why are we no better at policing ourselves than the criminals. Our very attitudes to the seriousness of a data breach are unenthusiastic. We have lost touch with what we are trying to protect, I witness people joking and laughing in boardrooms highly cavalier in regards to the records of our children, employees and communities. It genuinely saddens me.
- It’s time organisations pulled their socks up – Take a look at this, It’s a map of information assurance in the UK. It looks lovely! 85 Organisations all dealing with cyber crime whilst the issues rise year on year. Fiddling as Rome burns. I dread to think which one of these organisations deal with Mrs Jones recent ID theft. Should we give it to In-Action Fraud and let a data input clerk submit that to the algorithm to decide if it’s worth pursuing? Does she ring her local police station to log this and risk having yet more details on a leaking database? People are just so fed up of it now. It’s time we started thinking differently, people need help. I’ve met so many wonderfully clever people capable of helping, yet nothing is going in the right direction.
Rounding this up, I want us to do insider threat differently. I want us to work towards insider protection. Insider Defence. Human Firewalls and the like. People, whilst not perfect are people. We can be patched! We can fix flaws! and don’t listen to the people that tell you otherwise, as they are arrogant and short sighted.
By changing our own behaviours we can collectively work together to make sure our employees are the best they can be at securing our data. If this means calling in a specialist to determine who is not very happy then so be it. If it means cracking down on the malicious people that are hell-bent on damage – good.
It’s just the time we started thinking differently.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.