Funding Not Following Concerns About Insider Threats
The Edward Snowden scandal and Julian Assange’s WikiLeaks organization have brought to the fore the problem of “insider threats” as never before.
Congressional hearings, conferences and newspaper articles have all raised awareness, but a recent survey found that despite the hand-wringing, organizations are not putting resources toward the problem.
“People are now trying to get a better understanding of the insider threat problem, but one thing that is not happening yet, and it’s the case for government and commercial [sectors] alike, is that the budgets seem to be lagging,” said Michael Crouse, director of insider threat strategies at Raytheon Co.
Raytheon commissioned the survey to gain a better understanding about industry’s awareness of the problem, he said. The survey report, “Privileged User Abuse and the Insider Threat,” was derived from the polling of 693 info-tech managers and was conducted by the Ponemon Institute, a research and consultancy firm.
Respondents said they were aware of the problem and that they want to be more proactive when it comes to insider threats, but the survey indicated that this is mostly talk, Crouse said.
“The budgets haven’t caught up to that awareness and thinking yet,” he said.
“People are really fighting for every dollar. And when they are fighting for every dollar, they really have to fight for new requirements, and they have to … be able to show the return on investment,” he added.
It is easier to show that return on investment when it comes to thwarting external threats such as foreign hackers, he said.
The high profile WikiLeaks and Snowden cases are prompting some companies and agencies to put together insider threat programs, he said.
Insider threats generally come in three categories. Data gathered by the Carnegie Mellon computer emergency response team show that the most common is information technology sabotage at 41 percent of incidents. That is followed by fraud for personal financial gain at 26 percent and theft of intellectual property at 20 percent. The remaining 14 percent are miscellaneous.
One example of a miscellaneous threat would be the case of an info-tech employee who was paying someone overseas to do his work for him.
“That is an insider threat. Giving someone access to a company’s information,” he said.
It is difficult to quantify how prevalent insider incidents are because exposing them can have an impact on an organization’s morale and reputation, and companies may lose business and profits, he said.
The recent case of a Microsoft employee who was caught allegedly selling information to a competitor is rare because it actually made it into the press, he said.
Almost 70 percent of respondents said they do not have enough contextual information from the tools they are using today, he said. And 56 percent said there were too many false positives from the ones that they do have.
Traditional informational assurance tools don’t provide the intent of what the individual is trying to do, Crouse said. An employee might be moving data to a non-corporate USB thumb drive maliciously or simply by mistake.
Network sensors can see that someone pulled down a file of proprietary information. Is he renaming it so it can be attached to a Gmail account, or cutting and pasting the information so it can be sent via instant messaging to someone outside the organization?
Knowing these answers can indicate the behavior and intent, not just the act. “There are tools today that can do that, but you have to be willing to invest and deploy such products,” he said.
The report recommends a nine-step program to tackle insider threat programs.
One is increased training, which goes both ways, he said. It involves teaching investigators to identify bad behavior but also educating the workforce.
There are techniques that a spy could use to trick a fellow employee into handing over sensitive materials, he said. Workers should know how to recognize these tactics.
The risk is out there for all organizations, no matter what their sector or size, Crouse said.
Managers don’t want to believe that employees that they trust, and may have directly hired, can carry out these kinds of acts. But more of them are taking a “trust and verify” approach. They audit their employees when it comes to accessing sensitive information.
“We know this is a difficult problem because you are talking about human behavior, but it’s not impossible. But if companies are willing to take it seriously and invest in the proper way, in processes, procedures and technologies, they can have an effective program,” Crouse said.