The insider threat peer report Peer inside your contemporaries' internal security

The nature of security often means it must be cloaked in secrecy. Organisations don’t want to talk about their approach to keeping digital assets safe, as the thinking goes that the more information that is out there, the more vulnerable they are.

This means that a lot of security professionals can feel like they are working in a bit of a vacuum. Security is never going to have the same kind of knowledge sharing economy that other areas of IT, or indeed business in general, have. The opportunities for security professionals to discuss their strategy, or even just broader opinions about the job they do, is rarer than it is for other disciplines. This issue can be magnified for IT professionals for whom security is just one aspect of their job, as it means it is always the one they are least able to discuss.

In the area of insider threat especially, many IT and security professionals are not at ease discussing the behaviours of their own users, or how they manage internal processes.

That is why we have produced ‘The insider threat peer report’. We found a few senior IT and security professionals, working in diverse industries spanning education, government, FMCG, finance and health, to tell us a bit about their views on internal security.

This report is not about case studies, or an in depth look into any of these organisations’ security strategies. It is a rare opportunity to get insight into the views and opinions of your peers on the topic of insider threat.

Who is quoted in this report?

All quoted contributors to this report are IS Decisions customers, spanning industries from education to finance, pharmaceuticals to FMCG.

University of Auckland

Hinne Hettema
IT Security team lead, University of Auckland

Forreston State Bank

Christopher Cronau
Vice President, Forreston State Bank

Bellicum Pharmaceuticals

Joseph Reyes
IT Manager, Bellicum Pharmaceuticals

The Scenic Route

John Giordiano
IT Manager, The Scenic Route

Criterion Systems

Adam Cotton
Cyber Security Analyst, Criterion Systems

Dylan

Dylan
IT Manager, Undisclosed

Moet Hennessy do Brasil

Michel Tagami
Support Coordinator, Moet Hennessy do Brasil

What is your Greatest security threat?

In our research for the Insider Threat Manifesto, a survey of 1,000 IT professionals told us ‘insider threat’ came fourth on their list of security priorities. But our peer report contributors place a higher emphasis than average on internal security.

What is your greatest security threat?

“I would say internal employee theft of information”

“Employees, contractors and clients leaking company data either knowingly or unknowingly”

“Uninformed or untrained users. Many compromises take advantage of users that don't take proper precautions or that can be persuaded to give out information.”

“Employees. They are involved in every process in an organization.”

Christopher Cronau,
VP, Forreston State Bank

John Giordiano,
IT Manager, The Scenic Route>

Adam Cotton,
Cyber Security Analyst, Criterion Systems

Michel Tagami,
Support Coordinator, Moet Hennessy do Brasil

What type of employees pose the greatest security threat?

“I believe consultants and contract employees pose the greatest risk as they really aren't accustomed to any particular company's policies and procedures around files. For example, we require all consultants and contract employees to use a company assigned laptop. All files must reside on our file server, where they can be audited using a product like FileAudit, so that we can keep an eye on what is going on.”

“Roles such as a a loan officer who have the most access to confidential information. We restrict as much as possible access to such customer information and ensure we monitor file access within those areas.”

“Postgraduate students. These have elevated access to our systems, but at the same time still behave as students.”

“Uneducated ones. These are usually the same users that click on anything that comes into their inbox and that move data off the server to thumb drives or less than secure cloud services.”

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

Christopher Cronau,
Vice President, Forreston State Bank

Hinne Hettema,
IT Security team lead, University of Auckland

John Giordiano,
IT Manager, The Scenic Route

Technology and training: Tackling insider threat

How important a role do you think user training takes in tackling internal security?

“It is one of the most important. Users are the most often exploited vulnerability used in an attack.”

“Generally users don’t enjoy anything that takes time. Implement a solution that they don’t notice or that gives them no other choice but to obey procedures. The growth of technology has made managing security in an organisation easier, with more user friendly solutions that do not impact users.”

“It plays a very important role, however, I believe that there is an issue when users are being malicious. These users are trained, but still doing something they aren't supposed to be doing. A technology-led measure would be more effective.”

Adam Cotton,
Cyber Security Analyst, Criterion Systems

Dylan,
IT Manager

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

Are technology or social led measures more effective?

“A combination of both, though social has the greater need and requires more attention to maintain.”

“They both play an important role. However, technology led measures are your 'boots on the ground' when tackling internal security.”

“It’s very important to keep it in the users mind. For example an informed employee can help their organization mitigate insider threats by reporting issues when they notice information that should not be readily available.”

Adam Cotton,
Cyber Security Analyst, Criterion Systems

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

Christopher Cronau,
Vice President, Forreston State Bank

Insider threat on the Organisational priority list

Beyond IT and security, are there any other parts of an organisation that you think could help mitigate internal security risks?

“All of the organization should be involved as security is an organization-wide concern.”

Adam Cotton, Cyber Security Analyst, Criterion Systems

“The audit and risk groups, by categorising risk and providing support for funding the most important initiatives.”

Hinne Hettema, IT Security team lead, University of Auckland

“HR for training, finance for buying security, marketing to promote security and sales to sell security best practices.”

Michel Tagami, Support Coordinator, Moet Hennessy do Brasil

Insider threat on the organisational priority list Senior Management

Our recent research showed 47% of those in senior management roles consider employees to be in their top three security concerns, behind hacking and viruses.
Data loss
Employees
Virus
Hacking
When speaking with senior executives how do your ensure others understand the security issues and risk involved?

“In the biotech industry, executives tend to listen when the conversation is the theft of Intellectual Property. They understand the need for forensics and the ability to find out who did what and when they did it. I think when you can show that an idea can be stolen and that you can get the tools to either watch when that is occurring or identify who did it after it occurred, you become a hero.”

“Real-world examples can help turn the focus away from Return on Investment mindsets, but a good working relationship with the executives and keeping them aware of efforts/progress helps. Don't be silent about security, nothing is set and forget.”

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

Adam Cotton,
Cyber Security Analyst, Criterion Systems

How do attitudes to security differ accross users?

Percentage of desk-based workers who have shared their work login details with at least one other person, split by age:

16 - 24

25 - 34

35 - 44

45 - 55

55+

“There is more knowledge of security incidents and computer use in younger users, but convenience always seems to outweigh thoughts of security.”

“There are generational differences in which the way technology as a whole is seen and therefore, the way internal security is approached. Older users are more experienced, but may be more susceptible to malware and phishing schemes. Younger users may be more apt to inadvertently share a file using a Torrent. This is the 'Pound Sign vs. the Hash Tag' discussion.”

“I find the older users, although more paranoid about threats, don't comprehend the scope of being secure and will forget the simple things. Whereas the younger crowd can comprehend the scope of being secure but tend to blindly trust new technology because it comes in a shiny package. Older people tend to disregard security measures because they don't fully understand and younger people tend to disregard them because it slows them down.”

Adam Cotton,
Cyber Security Analyst, Criterion Systems

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

John Giordiano,
IT Manager, The Scenic Route

The future Of security and insider threat

What tech trends do you think are impacting internal security?

“Cloud is making it easier for the attackers to stand up and tear down attack infrastructure in hours, making investigation much more difficult. Cloud vendors are not generally forthcoming with information about how their infrastructure is used to facilitate attacks.”

“New technology trends have and always will impact security, and each one needs to be addressed individually. Remote working with proper VDI poses reduced risk. Social media is another attack route for social engineering.”

“As much as I love how the cloud, remote working, mobile, BYOD and social media efficiently allow us to move forward, it is also the bane of my day sometimes. It tends to move us at a speed that most of the general population has not caught up with yet in our own comprehension and understanding.”

Hinne Hettema,
IT Security team lead, University of Auckland

Adam Cotton,
Cyber Security Analyst, Criterion Systems

John Giordiano,
IT Manager, The Scenic Route

What does the future hold for internal security?

“The evolution of wearables may be a challenge. I can tell you that mobile and wearables have the capability of capturing Intellectual Property and sharing it without being found. It is definitely a future challenge.”

“(In the near future we will see) a nonexistence of a boundary between the inside and outside of an organisation… (It is vital) to therefore identify risky behaviour from all employees its vital to be monitoring logon behaviour and access to various applications.”

“The growth of technology has grown the attack surface. Generally technology growth is feature driven with a consumerised model, thus incentivising insecure development practices, and the plethora of new 'must have' features rapdily increases the chances of compromise. Think of the hackable house for instance.”

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals

Hinne Hettema,
IT Security team lead, University of Auckland

Hinne Hettema,
IT Security team lead, University of Auckland

Any words of advice?

“Make sure you have a security taskforce with representation from 'c' level through technical level and representation from audit and risk. Give the taskforce powers to drive initiatives and budgets.”

“Get management on board with the importance of security and willing to support new training and policies.”

“Don’t trust anyone.”

“Don't take security lightly. If there is room for the breach to happen, chances are it will. We can't cover everything, but we can do our best to be proactive, patch up the holes and recover from disasters.”

“Ensure that you have a robust anti-malware and anti-virus product rolled out to your workstations. Make sure that you have some forensic capability with auditing file activity on your shares, such as FileAudit.”

Hinne Hettema,
IT Security team lead, University of Auckland

Adam Cotton,
Cyber Security Analyst, Criterion Systems

Dylan,
IT Manage

John Giordiano,
IT Manager, The Scenic Route

Joseph Reyes,
IT Manager, Bellicum Pharmaceuticals