I've been investigating insider threat for years. The focus has typically been on those double-agents who are working for foreign governments trying to steal company proprietary information, or that upset worker who plans to corrupt the entire internal network and take down the enterprise out of spite for having their vacation hours take away. Truth be told, these people should not be the focus of the organization insider threat program. The probability of these situations are very, very low and realistically, if they wanted to steal information or bring down the network, they're probably going to get away with it.
What is a real threat are the everyday user or employee trying to get their job done. Employees feel their ability to be productive has been affected by the numerous and excessive security controls put in place.
"Why can't I use HTML email???"
"How come I can't use a thumb drive?!"
"I just need to transfer this file from this lab to that lab. It's okay, I'm on the cyber team..."
"I can't even update my virus definitions because DVD burning on my corporate asset is disabled!!"
Then at the same time, you get management telling you,
"Take more risk"
"Move faster"
"Be proactive and make a decision"
"Think outside the box and make it happen!"
What isn't being said is,
"What is the probability that I'm transferring malware to disconnected development systems?"
"What if I forget that USB drive in my car and drop it in the parking lot of CVS"
"Who will take the fall for this risk if something goes wrong?"
These are great examples of why throwing money at cybersecurity won't help make our systems more secure. Make no mistake, those in the cybersecurity field are providing a service. If they're in the offices and labs with clipboards and writing cyber citations, their intimidation tactics will help be conducive to helping the people they're responsible for. Instead, take the mindset of being there to help and to support and find a way to say "yes" instead of, "sorry there's a policy against that". Remember, mission first. And, the proper amount of security is... just enough.
No comments:
Post a Comment