Let me start by stating the following statement. Internal security is about placing the appropriate security controls to achieve confidentiality, integrity and availability on your organisation assets. However, most organisations are confused with this philosophy. The principles of confidentiality, integrity and availability are not balanced. Organisations spend huge amount of investment and resources on security technologies seeking high levels of “availability”, because that’s what service levels agreements are built on. Funny enough, organisations mistakenly focus mostly on “availability” for good security practice and that is a recipe for disaster.
Let’s take a look at the example of the Australian Bureau of Statistics (ABS) that suffered a so called Denial of Service Attack on its Census website back in August 2016. Thousands of Australian were prevented from taking part in the census (including myself) which overloaded the website. Attacking “availability” certainly put a dent into this Government led initiative that was highly embarrassing and may have placed any future online projects on hold such as online voting for many years to come. Importantly, the resulting consequence from the fallout of this Census fiasco has placed the Australian public lacking confidence with Government led initiatives.
Which brings me to the next point. The Red Cross Data Breach happened in October 2016. The personal data of 550,000 blood donors that includes information about their names, gender, date of birth, address” has been leaked from the Red Cross Blood Service. This is something that shouldn’t have happened for an organisation like Red Cross Blood Service which is responsible for taking care of very sensitive and personally identifiable information, but it did. We are human. We all do mistakes. But, leaving sensitive data on a public exposed web server is as bad as it gets when it comes to security fumbles. Where are the necessary controls & checks?
The ramifications of the spill of donor data range from identity theft to possible blackmail. Worse still, people could be dissuaded from donating blood if they fear their details won’t be kept safe. A breach of “confidentiality” is serious. Lives are at stake and many executives of similar organisations that hold very sensitive information just do not understand the ramifications.
What is alarmingly serious, most organizations do not understand where their key data is, let alone what it is and how sensitive it is. Another recipe for disaster. Yes, digital collaboration is at the heart of every business process – files are created, stored and shared at a rapid pace. But it seems nearly impossible to keep track of who has and needs access to all of this information, and who doesn’t.
Organisations tend to think that their data access is under control, but dig a little deeper and holes start to appear. Most organizations grant access readily, yet revoke it infrequently. So, don’t assume that only the human resources group can see the human resources data, or that an employee who left the company last month had all her permissions revoked. This rarely the case. Which brings me to my next point. Wells Fargo Bank, the second largest bank in America deceived over 1.5 million of Americans over a spate of several years. Imagine paying fees on a ghost account you didn’t even sign up for? The phony accounts earned the bank unwarranted fees and allowed Wells Fargo employees to boost their sales figures and make more money.
The way it worked was that employees moved funds from customers’ existing accounts into newly-created ones without their knowledge or consent. The scope of the scandal is shocking. Over 5,300 Wells Fargo employees have been fired. The CEO stepped down. Wells Fargo slapped with a $185 million fines. And plenty of reputation damage to deal with. Let’s be clear, the attack on “integrity” is very difficult to spot. Hidden within the large volume of daily changes are the few that can impact the organisation operations and viability. These include unexpected changes to a file’s credentials, privileges, hash value, changes that cause a configuration’s values or ranges and properties to fall out of alignment with security policy.
Which brings me to my final point. In a recent survey conducted by CEB reveal that 90% of employees violate policies designed to prevent data breach. When conveniences and productivity are chosen over security, employees put sensitive data at risk. It’s no surprise to see that employees will often try and work around controls.
The Verizon 2015 Data Breach Incident Report stated that, 90% of all incidents are people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff. People are the greatest risk to organisations. Therefore, our focus in protecting our assets has to address confidentiality, integrity and availability in equal measures. But importantly, it must address the user risk.This is not a technology problem but a people problem.
What can you do about it?
Investing in technology to improve security is essential, however the threat coming from within is about people not technology.
To achieve the result that you are looking for, you must address insider’s behaviour. And to address their behaviour positively, you must have a constructive impact on their daily business operations (activities). This can only come from a combination of deterrence messages, education programs and monitoring in real time.
Think of it this way:
Education→ Deterrence → Monitoring → Actions → Positive Behavior
Imagine having a child at home that either intentionally or accidentally throws a tennis ball at you windows which shattered the glass. I’m certain, that instantly you would confront your child with severe warning. This is the best way to impact a child behaviour. It is of absolutely of no effect, to pull the child some three months later to discuss their behaviour over that incident. The child would have completely forgotten that episode. This is what happens in today’s organisations. Insiders violate corporate policies and organisations have no way to deal with it in real time.
Teramind provides a user-centric security approach to monitor employee behaviour. Administrators can define high-risk activities and get alerted immediately if an employee takes any unwanted actions. Additionally, Teramind identifies anomalies in user behavior in comparison to peers throughout departments to help pinpoint potential new risks.
Are you looking to start placing appropriate Internal Security Controls in order to mitigate against Insider Threats, but not sure where to begin? Are you looking to build an internal resilient eco-system, but not sure how to approach it?
Teramind and CommsNet Group are joining efforts to help educate organizations about best practices for detecting and preventing insider threats. The combination of teaching employees safe IT practices, implementing the correct software, and raising awareness of the consequences of high risk behavior proves to be the best method for eliminating both malicious and unintentional data or system exposure.
Boaz Fischer is the Chief Executive Office of CommsNet Group, a firm that help organisations improve their internal security practice and resiliency to mitigate insider threats. Boaz has over 20 years experience in cyber security. He is the author of two books – The Essential Guide To Information Technology Security Best Practices (2010), Protecting Your Business from Cyber Attacks In Only 10 Minutes A Day (2015). As well as over a hundred articles and white papers on security best practices, Trust and Insider Threats.Boaz has also accomplished certificates with CERT Carnegie Mellon University (Software Engineering Institute) for Insider Threat Program Manager and Insider Threat Vulnerability assessment. He has deep experience and understanding of human behavior, being a Master Certified In Neuro Linguistic Programming (NLP)