Insider threat - results of a new survey

The results of a recent survey performed by Cyber-Ark Software caught my attention. You can find it referenced in SC Magazine,on Dark Reading and various other places.

The survey questioned city workers in London, New York, and Amsterdam on their attitudes towards data theft if were they to suspect that their positions were about to be made redundant. Unsurprisingly, a fairly large percentage stated they would be willing to remove data, by various means, that might give them some future advantage.

The results don’t surprise me. Only recently I investigated the actions of a former employee who on learning that he would shortly be shown the door had uploaded company data to a private file sharing service.

Whether or not the stolen data is really going to be of use to the individuals next employer depends on various factors ranging from location to industry: I recall a discussion with the CEO of a business in China who stated that job applicants frequently offer up their former employer’s customer database so he had every reason to suspect that his own employees, on leaving the company, would be doing the same. Here in the UK, a few years ago a recruiter I’d previously dealt with through one particular agency contacted me from another and was happy to state that he still had my details because he’d copied his former company’s database before jumping ship.

There’s plenty of good, bad, and indifferent advice out there such as “you always need some technical controls in place to prevent, or at least record, where information is copied” (from here) or “only allow access to sensitive

information to those that really need it, lock it away in a digital

vault and encrypt the really sensitive data” (from here). Personally, I think the best solutions are through strong policy and effective education. Smart deployment of technology is important but it’s not an answer to the problem.

More to the point, dealing with the insider threat needs to be an enterprise program: people, process and technology together, not piecemeal solutions. It’s worth taking a moment to remind ourselves that this issue is nothing new. Back in 1985, a study indicated that “75% of of the primary threats to computer security came from insiders.” (see Computer Audit Update, Volume 1992, Issue 10 available on ScienceDirect), and of course, the insider threat existed long before the existence of computers and databases. All we can hope to do is reduce the risk, the problem is not going to go away.