Tuesday 27 January 2015

Security: addressing the insider threat

A smattering of the usual suspects met under the auspices of the Information Assurance Advisory Council in Covent Garden today to consider the last great frontier – dealing with human aspect of information security.  Just how do companies impose workable constraints on the 'Mark 1' human being?

With great difficulty, came the considered reply.

When dealing with remote access to an organisation’s systems, the “new firewall” is identity management. The challenges of identity verification and privilege management are immense. What realistic controls can be placed on staff (and contractors) when the organisation is at the same time, trying to give the impression that it trusts them?

For the public sector, additional challenges are presented given the aggressive pace of the hugely ambitious digital agenda programme, which simply increases vulnerability every day. This is compounded by a culture of zero tolerance for mistakes by ministers and those with a public accountability role. But this leads to decisions on how to react to data breaches being made in ways that detract from possibly more important issues. The public sector is creating vulnerabilities at an exponential rate because of the way it chooses to do business.

There was not a meeting of minds on the best way of addressing the “human factor”. The security professionals stress the need for managers to ever more closely scrutinize the actions of their direct reports. Often, with scant regard for the legitimate privacy rights and aspirations of staff, who are human beings with human rights in their spare time, if not while at work.

There are some encouraging signs, though.

Government security clearances are being administered less frequently by teams of ex-policemen and former spooks, and more frequently by teams of ex-teachers and social workers. This new breed of clearance officer is likely to be more in tune with the people they will be clearing. And they will be more able to assess an applicant in terms of their ability to conform to norms of today’s generation, rather than compliance with the culture of those of previous generations.    

Technical controls are (oh so gradually) being implemented within organisations, meaning that security is being built into electronic systems, rather than being bolted on to them. Yes, there is a huge distance to travel to security nirvana, but we have to be realistic. Staff (usually) want to do their jobs efficiently, and to a high standard. They expect to be given appropriate tools to do the job, and increasingly resent having to rely on “work arounds” simply because the organisation is not capable of living up to the high standards it espouses in its security policies, etc. 

Today’s principal themes were the usual ones: of awareness, management & culture, and leadership.

But the key message was ominous: that staff expect to be loved, looked after, led and managed effectively.

Organisations that can’t manage to live up to these expectations deserve to fall victim to the insider threat.