Security breaches caused by internal employees, consultants, business partners and any other individual or group of individuals that have privileged access to certain parts of the network remain one of the highest threats to digital assets. In an article about the employee life cycle and identification of internal organizational threats, Conrad et al (2009) asserts that within an organization, the employee population is the source of potential malicious insiders. According to Posy et al. (2012), 88% of all data breaches were caused by an employee of the company. In addition to this, because of their ability to use their knowledge to exploit a weakness, and motivation to do the business harm, the disgruntled employee can be one of the most severe threats. Not all employees are out to cause malicious harm. Internal security breaches can be either deliberate or non-deliberate due to negligence and / or lack of training or security awareness.
So why are internal threats, breaches and destruction of digital assets such a problem? Schnieder (2012) points to the main problem facing many organizations today. On average, employees simply have access and privileges to systems they should be restricted from. To get around this problem several things need to happen, which include, but are not necessarily limited to:
- A clear and concise policy needs to be implemented and followed with regard to both internal and external access controls. This policy should outline the process of network membership from hiring of an employee through to termination. It should also include clear rules for external personnel including contractors.
- As Schnieder points out, roles based authentication should be at the core of any type of access control or membership system. This will not only make the administrative tasks access control easier, but will also help with auditing. Clear roles and permissions should be defined and updated as needed.
- Any sensitive systems carrying personally identifiable information (PII), or secret or confidential data, should not only be located in a secure area of the network, but they should also require additional levels of security access to these roles as applicable.
By implementing these suggestions, organizations should have less difficulty managing their users, while strengthening their overall security and access control procedures, better enabling them to effectively manage their information resources. Since the internal actor continues to be a significant threat facing many businesses today, any policies and technology implemented should be continually reviewed and updated as needed.
Conrad, S., H., Durán, F., A., Conrad, G., N., Duggan, D., P., & Held, E., B. (2009). Proceedings for the 2009 Int’l System Dynamics Conference: Modeling the Employee Life Cycle to Address the Insider Threat. Retrieved from: http://www.systemdynamics.org/conferences/2009/proceed/papers/P1365.pdf
Posey, C., Bennett, R., & Robert, T. (2012). Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers & Security, 30 (2011), 486- 497.
Schnieder, B., & Ranum, M. (2012). Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Retrieved from: http://searchsecurity.techtarget.com/magazineContent/Schneier-Ranum-Face-Off-Is-Perfect-Access-Control-Possible