No business can operate without trusting someone, somewhere. That is the insider risk. Even if you are a one person operation, you probably entrust information to your accountant, web hosting company, Microsoft or Google, to name but a few. If you are an organisation of any number of people, some of those people you must trust with your most precious organisational secrets – customer lists, finance information, banking passwords, global administrator passwords to many of your systems – again just a short list, add your own secrets you share to complete your list of risks. (Colwill. 2009)
A risk you have to live with
Of course there is no choice here, especially as for a company to grow you need to trust some people. The issues arise when that trust breaks down or is abused. For this you need a plan.
Why?
I will keep it simple and list a few of the most obvious reasons why people betray a trust. (Colwill. 2009):
- Data theft to take to the next employer
- Financial gain
- Malicious data theft and releasing into the public domain
- Malicious damage to the data for revenge
I can now hear you asking…
“What can I do about this risk?”
First you have to accept that there is not a single simple solution to this risk. Every situation will need different, considered mitigation but there is one principle you can apply to each situation.
“The principle of least privilege”
This states that you must give each member of your team access to only the information they need to undertake the tasks assigned to them.
Whenever we start a cyber security project the very first thing we do is to put down on paper, (which is later photographed, that image encrypted and the paper shredded), all the accounts and systems the organisation uses and we check the different user pages thoroughly by access:
- who has admin access – including third parties (just exactly how much access does your web designer have when it comes to your email?)
- who else has access – including third parties
- what level of access these people have
Then we work with the client to create a model of their organisation based on roles and access required.
And that is where we are going to stop today…
Come back on Thursday for the next steps.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
What do you know about your website?
Why you should care about the TLA AAA!
In the news at the moment:
The Insider Threat – it may be at the top of the company…
References
Colwill, C. (2009). Human factors in information security: The insider threat–Who can you trust these days?. Information security technical report, 14(4), 186-196.