Think headlines about data theft and leakage have nothing to do with you? Think again. Many of these incidents have a common theme: Privileged access. It's your job to make sure your organization doesn't fall victim to the same fate by at the very least examining your existing insider threat program, and perhaps doing a major revamp.
Edward Snowden's theft and release of National Security Agency data, Army Private First Class Bradley Manning's disclosure of sensitive military documents to information distributor WikiLeaks and the shooting at the Washington Navy Yard by a credentialed IT subcontractor have given IT executives across industries pause to reconsider their security policies and procedures.
Tips for insider-threat mitigation
- Build a multidisciplinary team consisting of IT, HR, legal and key lines of business
- Target people and areas with privileged access
- Look at data flows — within the company and anything going out
- Understand the information needs of customers, employees and suppliers
- Balance the needs of employees with the company's security requirements
- Create guidelines, and communicate them in employee handbooks and elsewhere
- Use technology to enforce your guidelines
- Create whistleblowing programs to keep anonymity intact — of both the accuser and the accused
— Sandra Gittlen
"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer and director of Global Security Services at The MITRE Corporation, a government contractor that operates federally funded research and development centers.
The Washington Navy Yard incident cost 12 people their lives; the full impact of the WikiLeaks and Snowden data releases cannot yet be quantified.
"These incidents have added another dimension to the threat paradigm — privileged access," Mahlik says.
Mahlik suggests that existing insider threat programs must increasingly be focused on users with elevated or privileged access to critical information. To that point, he is leading an overhaul of MITRE's own program. His goal is to understand the threats insiders pose and to deter those threats via a program that synchronizes people, policies, processes and technology. "We are in the nascent stage of this effort," he says.
Realizing the new threat
For a new or rehabbed insider threat program to be successful, the CIO, CISO or CSO first has to gain boardroom buy-in and illuminate the value such a program would have to a company in detecting and preventing harm to people, property and company reputation. A thorough assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite, is essential.
For example, if a company manufactures a unique product, then intellectual property would be a key focus area for the insider threat program. But if a company provides medical services, then protecting patient records would be the emphasis.
Sign up for Computerworld eNewsletters.