Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for January:
Insider threats will always outpace external threats.
Insiders, those people you trust at some level, represent a significantly greater risk than outsiders. External threats may have a numerical advantage, but insiders have the access to cause staggering losses. They possess the permissions, system and process knowledge, authority, visibility to critical systems and valuable resources, and can more easily circumvent existing behavioral controls. Overall, insiders are tougher to detect, investigate, interdict, and prosecute. Security organizations may inadvertently reinforce this disproportional risk by focusing on thwarting external threats, leaving insiders more latitude to conduct undesired activities.
It is a frustrating problem for security to address. There are complex political, business, technical, legal, and behavioral aspects which plague efforts. Due to their nature, insiders have an advantage, can be stealthier, and easily overlooked. Security organizations may discount this slippery threat or lose sight of this aspect and exclusively focus on more noisy external threats. I believe insiders represent the greatest challenge in the security industry.
Every security organization should purposely put in mechanisms to keep the ‘insider threat’ in the equation. Regularly talk about it. Do an annual risk assessment for senior staff. If it makes sense, launch projects to manage the risk. Anything! Just don’t let it slip from memory. Don’t overlook the risks. The challenge is tough and may appear insurmountable, but that is not just cause to ignore the problem. This is a battle worthy of fighting.