This week the FBI and DHS issued a “Public Service Announcement” about insider threat. I’ve written a lot about insider threat over the years. It’s always been something that needs more focus and attention than it gets. In part, this is because it doesn’t make as sexy a headline as “Hacker Steals Everything!!!” Certainly, there have been a lot of those lately. I go see customers and we’re there specifically to talk about things relevant to insider threat: employee access, over-provisioning of rights, administrator access, sensitive data and the access to that data. What do they bring up? Hacker use cases and stuff from the headlines. I even ask what the real priorities are and they admit it’s all the insider stuff. It’s good to have some ammo from sources like the FBI and DHS to back up the seriousness of the insider threat now.
The warning is stern and clear:
There has been an increase in computer network exploitation and disruption by disgruntled and/or former employees. The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on.
There’s no way to get that wrong. I would only amend to say that it can be employees looking to
turn a profit as well. Some of those employees can be quite happy, but still, do that kind of harm. Our friends at Barclays got a taste of that a while back. We never found out the damages that were associated with that all told. The FBI says “victim businesses incur significant costs ranging from $5,000 to $3 million,” but I think that number is low. It’s only the things that the FBI finds out about. It’s my belief that the majority of insider threat happens under the covers. It’s either never detected, seen as an error, or found and handled on the hush to avoid attention and damages. I know there are consultants laboring to fix things that were clearly found in breaches and other security related issues that never hit a headline or got the authorities involved.
What’s particularly interesting about this “Public Service Announcement” is the recommendations. Essentially, they recommend doing good Identity Management, Access Governance, and Data Access Governance. You don’t see that a lot. Sure, everyone knows that the vague admonishment you see about “reviewing policies” implies doing these things. But the list here is very specific and includes things like “Conduct a regular review of employee access”, “Require employees change passwords to corporate accounts regularly”, and “terminate any account that individuals do not need to perform their daily job responsibilities.” These are very specific things. Of course, they all imply a level of insight into who has access to what, the source of access for any granted entitlement, and tracking of the security status of accounts that are all outside of what most organizations can do. Our customers will be able to meet those challenges, but many others will struggle to implement even these clear, straightforward steps.