Posted by: David Scott
Most organizations most emphatically do not suffer threat of attack from inside. That is, employees are for the most part loyal, educated, and careful. Sure, they gripe, gossip and drag their feet once in awhile (I know I did, albeit – ahem – rarely) – but hopefully, on balance, they’re glad to have a job and they’re glad to be working where they’re at.
On the other hand there is always human error with which you must contend: Both its potential and often its manifestation.
At the same time, of course, you must have the full complement of the “technicals” firmly in place: Network (and application) access control systems; firewalls; intrusion prevention/detection; anti-virus tools; and other collateral systems depending on your specific environment.
But these tools alone aren’t a comprehensive defense. A robust, ongoing, employee education program must be firmly in place, with regularized and updated training in match to threats of laxity, unawareness, and potential errors.
According to the Identity Theft Resource Center (ITRC), “insider” caused breaches are on the rise. To cite one real-world example, Verizon Business recently received the unhappy report that half of all internal breaches were caused by IT administrators. So, no one group should be overlooked by business and IT governance when crafting and delivering requirements for training and care.
Of course, threats can include inappropriate and even illegal behavior, such as inside people breaching and stealing data or resources for financial gain. Too, there is the disgruntled employee out to harm the organization on occasion. In those cases, a formal oversight process by managers and Human Resources should provide a careful track of oversight and care. Here we’re concentrating on a more common threat: Simple human imperfection – that is universal.
Most common is the occasional employee who loses USB storage, or a whole laptop. Perhaps the organization suffers unmonitored and unregulated use of smartphones, whether personal or org, and the employees have inappropriate and sensitive data stored on these devices. Again, loss or theft puts the data and the organization at risk. The potential for pain is enormous: An employee of the U.S. Veterans Affairs department took a laptop home with records of approximately 26 million veterans – and had it stolen out of his home. The exposure was enormous.
Craft and define policy that spells out specifically what your employees can and cannot do with data and devices – to include portable storage (thumb drives, laptops, smartphones, etc.) and what they can do with means of communication (e-mail, phone, web, and so on).
First expose all possibles and contingencies; craft policies and plans that fit your organization like a glove; then build a common sense schedule of employee orientation, training and refreshers.
Also, business and IT leaders must review and adjust security and appropriate use policies in accordance with the overall environment and associated changes. Have that on a regularized schedule of review too, inside the appropriate management team(s).
NP: Waltz for Debbie, Cannonball Adderley and Bill Evans, jazz24.org