Freely subscribe to our NEWSLETTER

As reported to the Information Commissioner’s Office (ICO) by the trust in May 2010, the incident happened when a doctor printed out personal and diagnostic information about his patients in order to carry out an audit. He intended to do this at home outside of normal working hours. Shortly after leaving the underground, he realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport and handed back to the doctor.

A spokesperson for the ICO said: “Most of us can think of a time when we’ve found someone else’s personal belongings, like an umbrella, left behind on a train. But the last thing we should ever expect to find is highly confidential and sensitive material detailing people’s medical history.”

Earlier this year, Internet giant Google announced that it was the victim of a sophisticated attack from China designed to break into accounts of political dissidents hosted by the company. Details are scarce, but one disclosure in particular did stand out. Google reported indications that its employees either intentionally or unintentionally helped make the attack possible. This detail hardly surprised many security experts, myself included, who have long written about the threats that enterprises face from inside the corporate firewall.

Our warnings haven’t gone completely unnoticed; awareness about insider threats has grown in the recent past. But many companies’ responses have the appearance of ineffective security theater.

One case in point: security training for rank-in-file employees. Some CIOs seem to expect that by educating users about the dangers of clicking risky links or downloading unvetted applications onto their machines, these users will stop their risky behaviour.

The truth is, though, that while employee training can offer some ROI by eliminating a small percentage of IT incidents, it’s hardly a cure-all.

Pouring water on boiling oil

According to many security experts, the most prevalent IT security threat arises from negligent insiders. Malicious hackers prey upon enterprise users with the knowledge that no matter how many times your employee may hear about security policies and risks, eventually that user will click a questionable link on Facebook, respond to a phony e-mail from the ”Her Majesty’s Customs & Excise,” or be duped by a targeted spearphishing attack.

It’s inevitable that costly mistakes will be made because there is a human working at each keyboard attached to those networked PCs and people are fallible. They have bad days. And sometimes they do not stop to think whether they are putting their employer’s assets at risk.

In the case of an employee who has elevated access levels needed to carry out his or her job, an attacker who entices the worker into infecting one computer now also has privileged access into the network. The worker’s account becomes the proxy for the hacker, who knows how to leverage this access for further attacks deeper and deeper into the network.

To mitigate the threat from negligent insiders, organisations can take a cue from the way that firefighters in our company’s home state of California tackle the annual wildfire season. Firefighters understand that with dry terrain and unfavorable winds wildfires are bound to occur. That is why these professionals are relentless in their efforts to limit wildfires’ damage, encouraging every resident to search out and remove combustibles around vulnerable buildings. Firefighters also plan ahead to develop the rapid response strategies needed to keep the fires contained once they break out.

Sadly, the security practices of many organizations are akin to a community of reckless Southern California homeowners that allow groves of eucalyptus trees to hang over the eaves of their homes. Examples of the dangerous combustibles in your IT environment can include:

• Administrative users who are not required to periodically change their elevated, “super user” credentials. This leads to privileged account passwords that may never expire becoming known to too many current and former workers.

• Computers and network appliances that share common username and password logins, exposing large portions of the infrastructure should a single account be compromised.

• The storing of administrative passwords on spreadsheets that are placed in well-known or unmonitored locations.

• Failure to adopt a “continuous auditing” approach to security, never enacting the processes to search out new vulnerabilities and mitigate them before they provide the opening for an attack.

Regardless of how much your organisation spends on security, if any of these examples apply to your situation you could be vulnerable to attacks made possible by negligent insiders.

It’s All About Risk management

Today if your organisation runs a network you’re a target for attack. We may
never eliminate the threat but with a sound, layered security approach we can do much to reduce its potential impact. And when it comes to mitigating the risks of negligent insiders, organisations need to move beyond basic training and look for ways to limit the damage.

Your first step is to ensure that administrative passwords are regularly changed; that multiple computers, network appliances, or applications don’t share identical credentials; and that no passwords are stored on spreadsheets that have unmonitored access. Next, enact processes to continuously scan the infrastructure for new vulnerabilities and take action before there’s an attack.
Regardless of whether you accomplish these steps through manual processes or by deploying privileged identity management software, you’ll be well on your way to building stronger security and limiting the potential damage of an attack. This way you also reduce your exposure to the human factor.