Handling the insider threat

CSO has a post on the Insider Threat, a problem that I lived for a while when I worked with Oakley Networks. I certainly agree with the idea that companies need to address the insider threat, but I think most of the items mentioned in this article are likely to be counterproductive. Here are some thoughts why.

When people think Insider Threat, nowadays the instant association is Edward Snowden. Without commenting on his case specifically, Snowden falls in the “malicious” category; whatever the reasons, he was specifically trying to harm the entity for which he worked. But there are several other classes of actors: colloquially the “unaware” user and the “busy” user. The “unaware” user doesn’t pay attention to security guidance, and is particularly vulnerable to social engineering attacks. The “busy” user is aware of security guidance, but has an important task to accomplish and will circumvent security if it gets in the way. One can of course get more granular (try googling “insider threat taxonomy”), but these categories are easily understandable and generally address most actors.

The CSO article recommends a number of measures against the insider threat, including some of the usual suspects: “limiting or preventing concurrent logins”, “setting rules and restrictions around when and how users access the network”, and “employees should be restricted to specific workstations, devices, departments and IP ranges” are a few examples. On their face, these look like common sense measures and they certainly would help address the “malicious” insider threat actors.

What is left unaddressed is how these measures affect the rest of the workforce. The “unaware” user already doesn’t care about security. Putting in more policies and regulations is just going to make this user unaware of more things, not improve security. Technical controls may have a positive security effect here, since they will prevent security-unconscious actions that this user may otherwise perform. Probably a wash here.

The “busy” user was always the one I worried about in this context. By definition, the “busy” user is otherwise a good workplace actor…he/she wants to get the job done. In fact, they are so driven to accomplish the organizational mission that they are willing to violate corporate policies if they believe said policies are getting in the way of the mission. Security folks traditionally hate these people, but they seldom get reprimanded because executives love these people. Often executives are these people.

How happy is a “busy” user going to be when their network access is automatically shut down at 9pm on Saturday when he/she is working on a big project? Especially when there is no one available to fix the problem until Monday morning. That user is not going to shut down and politely request a waiver of policy on Monday; that user is going to transfer the project to a personal laptop and go work at the Starbucks next door. And that user is going to raise holy hell on Monday about the stupid policy that almost prevented his/her work from getting done.

If it is still actually in business, your enterprise has more “busy” users than “malicious” users, likely in huge proportion. I genuinely believe the reason most enterprises aren’t applying the sorts of regulations and technical controls mentioned in the CSO article is a rational calculation that the marginal security gain in preventing a rather unlikely “malicious” insider threat is not worth either the headache or the security loss from pissing off their numerous “busy” users.

With the caveat that I used to work for an insider threat monitoring company, I genuinely believe that monitoring and auditing is the correct posture for addressing the insider threat. In my experience employees don’t like being monitored…but they really don’t like being prevented from doing things, especially when they perceive that doing those things is tied to their next performance review.

Comments are closed.