Staff that work around security may be trying to tell you something..
News and information from the Advent IM team.
- by Ellie Hurst
- Advent IM Blog
We have talked about insider threat a lot. It seems that we are destined to talk about it a bit more given the amount of data breach and security failure still being driven by insiders.
Bupa was subject to a malicious insider recently. An employee with access and a motivation is hard to stop, not impossible of course, but certainly you can place a good few barriers in their way if you have full understanding of your information assets and understand Confidentiality, Integrity and Availability (CIA) principles.
But what of those unintentional risky employees, those who do not see themselves as risky in any way? The ones who are simply trying to create better efficiencies and end up working around security measures in order to do this. They may not be seeking to profit from their behaviour in any way other than time saving or resource stretching. But if they are working around your security then there are serious issues.
If people feel they have to workaround restrictions then there may well be a problem with how proportionate those measures are. Part of a blanket approach to security has been a concentration on the C in CIA, this has led to very heavy handed measures on practices, platforms or procedures that are not appropriate and have the unintended consequence of almost forcing users to try to break security protocols simply to do their work efficiently. The A is just as important, it may be more difficult to ensure that information, platforms etc are AVAILABLE to the correct users at the time they want them but if they are authorised to use something they shouldn’t need to overcome needless restriction in order to do so. It should be proportionate. Security says no, is a mindset we need to break out of, if we are ever to move security out of being a blocker (with the ensuing unintended consequences above) and into an enabler, that says, well yes, User, you need access to this information and I can see you are authorised to do so, come on in…
…of course, you may need to be looking into identity and login management practices too in order to ensure this is not abused or subverted…back to that insider threat we go…