It is amazing to me that in the current world a lot of organisations are still so utterly focused on external threats to the point where they essentially ignore insider threats. In a world where governments cannot keep policy decisions and future speeches secret as it’s leaked instantly it is amazingly short sighted to think that a policy or honour system can be trusted to work. Especially in such massive organisations where over a million employees can be on the payroll.
How can you trust each and every one of them to do the right thing at all times? You can’t. The chances of malicious insider threat are omnipresent. One of the real problems is that a formally good honest and dutiful employee could even change to a threat seemingly over night with no warning, let alone those that are malicious from the start. Financial issues, religious or political ideals, social pressure or just plain old fashioned greed can all turn people to theft and the theft of data is psychologically one of the easier ones to convince people to perform as it’s not physical so it’s harder for them to picture being real, or consequential.
None of this even takes in to account a much larger pool of insider threat from accidents where users are careless or complacent and either don’t check what they are transmitting, assume that the destination is correct or are too uneducated in security to understand the implications of their actions.
In this case Amazon have at least done the right thing after the fact sacking the employees responsible and reporting them to law enforcement, but for such a large organisation which holds such massive troves of personal information from so many customers to have to wait till there is a breach to act? That’s the strange part as technologies that could have stopped this sort of data breach have been available for a long time.
While it had a bad reputation in the past Data Loss Protection has come a long way and is exactly the tool that would have prevented this sort of threat, by not relying on user action to enforce policy but by using technology to enforce it the malicious insider would simply have found that releasing such data to external parties would have been impossible, or at the very least far too slow and onerous to be worth the risk of detection that sending hundreds of email addresses one at a time would have caused them.
Situations like this can be addressed by :-
1 – Implementing Data Loss Prevention technologies that enforce data security policy, rather than just relying on honest users following a security policy they have read once and forgotten.
2 – Constant user education. A vast quantity of these breaches are actually accidental and education is a great tool to reduce those by teaching users the importance of security and constantly reinforcing its impact on the organisation and their own jobs risk can be dramatically reduced.
3 – Full auditing of all communications. By gathering and checking how data is being used, searching for patterns and working out the cause, rogue employees can be detected and corrected before they cause significant breaches.
Source : https://securenvoy.com/blog/security-fridays-week-23/
