Right now the headlines in the security world are on fire with hacks and breaches. There is a nasty number brewing at DHS involving federal employees, and there is the alleged largest hack of username and password data ever as well. I say “alleged” because some in the security world have called some of the numbers being thrown around into question and I think they make some good points. Much of this has made it into mainstream news. People will be doing the Heartbleed dance and changing all their passwords again. Everyone is always interested in news that could affect them. We’re wired to look out for any threat that may harm us. Unfortunately for our employers, we’re not always wired to look out so diligently for threats that may harm the organizations we work for. That’s why the insider threat will never make the big headlines. While we all know on an intellectual level that insider threat is a much bigger problem for organizations from a security standpoint, leaders and the rank and file will all react to these headlines in security discussions for the next few weeks. All the while some erstwhile IT risk analyst will be pointing a much more present danger and likely not be heard over the noise of trying to add one more character to the password policy.
Just before this news broke, I had a very interesting conversation with one of those security analysts. She had reached out to us after they had a bit of a wake-up call in her organization – the kind you can’t ignore. After she had pushed and cajoled for months, they finally decided to do a review of information that was potentially exposed on a corporate share open to the whole company which had grown wild and out of control. She told me “we found some bad data.” She had a very calm demeanor and the way she told the story was in stark contrast to its content. Apparently, the CEO’s corporate credit card data, the number, expiration, security code, even billing address, was all in a document sitting on this share that everyone could access. This is one of those cards that may at points be used to pay for chartered jet flights or put deposits for the entire company to go for a corporate trip. Suffice to say it has a high limit. And since many people in the organization have legitimate access, not any one person always know what’s been charged. There’s enough noise to hide things. They’re spending some time going over the bills for the last year with a very careful eye right now. Our friend the security analyst was vindicated and given the mandate to clean things up. That’s why she called us.
This security analyst has a story worthy of a headline, for sure. She could be interviewed in every news outlet. I could picture her being interviewed about the incident and what people should do to prevent things like it. The fact that it’s not the average person’s data at risk in insider threat isn’t the only reason insider threats will never make headlines, though. The other reason is that organizations will never talk about these things. You may have noticed that I’m not saying anything about this organization or this individual that could identify them. That’s because this is not the kind of thing that anyone wants out there. Even though threats like this are in every organization, no one wants to admit it. So juicy stories like this never break. They stay with guys like me who people turn to to help solve their problems. And maybe we blog about anonymized versions of these tales, but that’s as close as they’ll ever get to the headlines.