Security Execs Sweat Insider Threats

Insider threats are becoming increasingly worrisome to corporate security executives.

That is one of the findings in a survey of C-level businesspeopleNuix released last week.

“The insider threat seems to be a bigger concern this year than it was in previous years,” said Keith Lowry, Nuix’s senior vice president of business threat intelligence and analysis.

“People are recognizing that it is a significant weakness that has yet to be fully addressed by most organizations,” he told TechNewsWorld.

Insider threat programs are widespread across the broad set of industries represented by 28 high-level executives participating in the study, which was conducted by Ari Kaplan Advisors.

More than two-thirds (71 percent) of the executives said they had either an insider threat program or an insider threat policy.

Throwing Money at Problem

Organizations are spending more money fighting insider threats, the survey found.

Nearly a quarter (21 percent) of the surveyed execs said some of their increases in security spending went to bolstering protections against insider threats.

What’s more, 14 percent of the participants noted that 40 percent or more of their security budgets went to combating insider threats.

Despite those efforts, the organizations in the survey still had problems tracking access to their critical data.

Most of them (93 percent) could identify their critical data, but only 69 percent said they knew what people did with critical data after they accessed it.

Not Just IT’s Problem

“The insider is a dynamic threat, and most organizations are taking a static approach to stopping it,” Lowry said.

“This is not just an IT problem. It’s a risk management issue. The C-suite needs to realize that this is a bigger issue,” he noted.

“It has to be looked at from the perspective of the whole organization, not just a piece of any part of the organization,” Lowry added.

As in the 2014 survey, participants cited human behavior as the greatest threat to their security. Last year, 88 percent of those surveyed identified human behavior as their biggest threat. This year, it was even higher: 93 percent.

CISA Sneaks Into Law

Congress, perhaps unwilling to take the heat during the re-election season for enacting a law that civil liberties groups and some high-profile technology companies say broadens the government’s surveillance powers, buried the text of the Cybersecurity Information Security Act in the federal budget bill President Obama signed into law earlier this month.

Tucking controversial measures into budget bills is a time-honored tactic to avoid putting legislators on the record on thorny issues that could be used against them when they run for re-election.

From its inception, the bill failed to require that information shared by companies with the government be anonymized.

“The initial proposal of CISA had a bare minimum of provisions to offer some type of privacy protection, but not enough,” said Joseph Pizzo, field engineer atNorse.

“What we’re seeing now is that these few provisions have been stripped away,” he added. “With the changes, organizations can now directly share raw data with several agencies with no protection or anonymity.”

Encourages Sharing

Sharing information about cyberthreats can help protect the nation’s data assets, but private industry has been reluctant to do so because of liability and antitrust considerations.

“The bill covers the majority of areas needed to encourage sharing,” said Sean Tierney, vice president of threat intelligence atIID.

“It hits on the important and cogent points,” he told TechNewsWorld.

“It provides protections against liability for sharing or consuming data, so long as it’s done for the sake of cybersecurity,” Tierney said.

There are no requirements in the legislation for companies to share information with the government, he added. However, there are requirements as to what the government needs to provide the private sector.

“Many of us see the bill as progress in both protecting privacy and providing data to the country,” Tierney said.

Getting Out of Patching Business

Among the best practices recommended by many security pros is keeping software current by installing updates as soon as a manufacturer releases them.

In the enterprise, that can be difficult because IT departments like to test new software patches before they roll them out to all their charges. Their thinking is that it’s better to break a few test machines than let an ornery patch raise havoc throughout the enterprise.

That kind of testing, though, may be a luxury IT departments no longer can afford. In the week before Christmas, for example, just four companies — Apple, Adobe, Microsoft and Google — released 273 patches.

“If you’re in the business of patching, you’ve got to get out of it,” said Simon Crosby, CTO and co-founder ofBromium.

“We need to get humans out of the loop,” he told TechNewsWorld.

Don’t Worry About Breakage

If an organization is uncomfortable with automatic patching, it should install patches immediately and not worry about breaking things, Crosby maintained.

“Patching for the benefit of the majority at the expense of breaking a few things is vastly preferable to testing everything and then patching,” he said.

With the Internet of Things entering the corporate landscape, the patching problem will get even worse.

“You’re going to have all these devices running with software in them,” Crosby observed. “It must be the case that those things patch themselves. Otherwise, we will die trying to patch stuff.”

Breach Diary

  • Dec. 21. Yahoo announces it will notify users if it strongly suspects their accounts have been targeted by a state-sponsored actor.
  • Dec. 21. Fox River Counseling Center notifies 509 patients their health information is at risk after someone stole a laptop from one of its offices.
  • Dec. 22. Sanrio Digital confirms reports that data of 3.3 million Hello Kitty fans is at risk after a vulnerability was discovered in its hosting service. Although the data was exposed for a month, the company said it found no evidence that any data was stolen during that period.
  • Dec. 22. Former Morgan Stanley Broker Galen Marsh is sentenced to three years probation for illegally taking home client data from the company’s computer systems.
  • Dec. 22. HealthSouth Rehabilitation Hospital notifies 1,359 patients their health information is at risk after someone stole a laptop from the trunk of an employee’s car in October.
  • Dec. 23. The Intercept reports that in February 2011, GCHQ, a UK spy agency, acquired the capability to covertly exploit security vulnerabilities in 13 firewall models by Juniper Networks with the knowledge and cooperation of the NSA.
  • Dec. 23. Hyatt Hotels advises its patrons to monitor their credit card statements after announcing it has discovered malware on the payment processing systems of its Hyatt-managed properties.
  • Dec. 23. Livestream asks all its users to reset their passwords after it discovers the possibility that an unauthorized person accessed its customer information database.
  • Dec. 23. Allina Health notifies more than 6,000 patients that their healthcare information is at risk after it was disposed of in the trash instead being shredded at its Isles Clinic in Minneapolis.
  • Dec. 25. Valve, which operates the popular gaming site Steam, confirms a system error that allowed some users to see other users account data. The error was caused by a configuration change and has been fixed, the company said.

Upcoming Security Events

  • Jan. 14. PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Sponsored by the Federal Trade Commission. Free.
  • Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
  • Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
  • Jan. 21. From Malicious to Unintentional — Combating Insider Threats. 1:30 p.m. ET. Webinar sponsored by MeriTalk, DLT and Symantec. Free with registration.
  • Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
  • Jan. 26. Cyber Security: The Business View. 11 a.m. ET. Dark Reading webinar. Free with registration.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • March 18. Gartner Identity and Access Management Summit. London. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels