Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.
Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.
The respondents were likely fearful, at least in part, due to what they had been hearing about in headline news about data breaches and insider threats, said Vormetric CEO Alan Kessler. He pointed to recent examples in Bradley Manning and Edward Snowden, adding that many businesses are beginning to see these problems themselves.
Vormetric CSO, Sol Cates, meanwhile, said that enterprises are concerned about insider threats because they are realizing that beyond an employee going rogue — as was the case with Manning and Snowden — there is the idea of privileged users whose identities are being compromised.
"That's becoming another concern," said Cates, "this idea of unchecked privilege that these companies don't have enough controls around."
The report also indicated what specific types of insiders the respondents perceived to be the biggest threats, with non-technical employees with legitimate access to sensitive data accounting for 51 percent of the vote. Though it may not necessarily seem obvious at first, there are scores of employees that fit the description in question, including employees in HR, who often find themselves needing to interact with personally identifiable information (PII).
"The question is, do you have proper control over how they interact with this information?" asked Kessler. "But the technical aspect of controlling this kind of access is very hard, especially if you're trying to retrofit older systems."
Cates added that executives also fit the bill here, as their jobs are not technical in nature, but they often need access to sensitive information in order to do their job.
"That's the whole point of data and information, to make it usable." said Cates. He did, however, have one suggestion for mitigating such a threat.
"Education and empowerment of the business user is a good way to counteract this problem," he said.
With insider threats posing such a significant problem, another obvious solution would be to conduct thorough background checks on potential employees before they are hired to determine whether or not they can be trusted (or whether or not they are a liability). While Cates maintains that this is a common procedure these days, the tricky part is limiting those employees' exposure to sensitive data while still allowing them to do their jobs and administrative functions.
Sign up for Computerworld eNewsletters.