An oft-quoted truism is that the majority of security breaches originate with internal employees.
I recently attended a presentation that astutely broke down these into three categories:
- Inadvertent acts — eg. someone mails a confidential document to their private email address to work on it at home
- Malicious acts — eg. a disgruntled employee willfully committing sabotage
- Whistleblowers — eg. an employee leaking data to expose wrongdoing
To this I would add
- Espionage — eg. an employee stealing trade secrets to sell to a higher bidder (or take along to a new employer).
We can simplify these four as “stupid, angry, well-intended, greedy”.
For example, Forrester Research’s Understand The State of Data Security and Privacy Report (summarized by CSO online here) claims that more than a third of incidents stem from “stupid”.
Much focus lies on data leakage protection – prevention, detection, and analysis, through techniques such as digital rights management (DRM), intelligent log monitoring, and filtering – and on mechanisms for allowing follow-up to violations, including better integration with human resources and more industry cooperation in investigations.
As a vast generalization, information security has often struggled to work together as effectively as possible with the business – the stakeholder who pays for security. It is frequently viewed as a necessary evil, as an expensive condition of doing business that hinders a firm’s maximum effectiveness. Part of this stems from ‘ refusal/inability to try and understand the need for, and value of, a strong security capability, part of it is due to security’s inability to guide the business towards asking the right kinds of questions, and to communicate its own value and necessity in a way that the business can understand.
So…the security people really need to provide “the business” with analysis that helps stakeholders understand why bad things are happening, and why they are worth paying attention to, rather than just invest in expensive preventive tools or fight fires. And that includes asking some potentially uncomfortable questions when employees do bad things for the reasons we listed above:
- “Stupid” – why are they sending stuff home? Are they insufficiently trained? Are we not giving them the right tools to do their job?
- “Angry” – why is this person angry? Granted, every company has an expected background noise of discontent, but when it causes an employee to act maliciously, perhaps it goes beyond “this person is bad / crazy”. Perhaps HR and senior management should look into the root causes of what has driven someone to commit sabotage – and learn from it.
- “Well-intended” – why are we being reported to the tax authorities / environment agency / labor relations board? Let’s be honest – companies, particularly in financial services, do a lot of things that a reasonably ethical person should not be comfortable with, including some downright illegal things. Granted, whistleblowing rules have seen strong growth in many firms, but rather than prevent it, maybe someone needs to sit the traders down for a long hard talk on why they’re giving their database administrator reason to leak details of questionable transactions to the government or the press.
- “Greedy” – the why is self-explanatory – loss of competitive advantage needn’t have any basis in wrongdoing or neglect. Nonetheless, this is the point where information security risk needs to tie into business risk, so that the firm as a whole can understand its potential exposure to loss from leaks and espionage.
Before writing someone up on a rule violation, maybe we should ask them to explain why they did what they did. For this to be effective, someone has to be responsible for collecting, analyzing, communicating, and tracking such outcomes – as with any security incidents.
That requires strong accountability. And as with anything else, management is hard if you want to do it right.