Are we focusing too much on technology and not enough on people when it comes to insider threats? Talking to Keith Lowry, the Senior Vice President of threat intelligence and analysis for Nuix, it’s hard not to come away with the impression there is too much emphasis on technology and not enough on human factors when looking at IT security risks.
Lowry gave a briefing to journalists at Nuix’s Sydney office last week discussing the types of insider threats organizations face. “Why is it, despite all the money we’re spending, we seem to be losing the cybersecurity battle?” he asks.
“The majority of insider threat programs that I’ve seen begin with the foundation of technology when in reality the foundation of a counter insider threat program should be about people,” he stated as one of the reasons why organisations are struggling with security their networks.
Supporting his belief that people are a problem is a 2015 survey by information security company Clearswift that found more than a third of employees are willing to sell their company’s private information.
All of the six examples he cited illustrated the problem facing managers, each breach was as much a failure in managing people as it was technology not being implemented correctly.
Naturally the Chelsea Manning case was one of the headline cases, “Manning was a failure of leadership.” Lowry said, “what’s really interesting is before his unit went to Afghanistan was deemed by a psycologist to be unfit to deploy. They took him anyway.
Two of the other examples, alleged Chinese spy Hao Zhang and Russian intelligence agent Anna Chapman are classic espionage tales while Edward Snowden is a continuing tale that may well define our public security policies for a generation.
Of the examples, Aussie twosome Christopher Hill and Lukas Kamay along with US student Glenn Duffie Shriver are the two that should worry organisations the most.
Duffie-Shriver was sentenced to 48 months jail after being recruited by PRC intelligence officers while studying in China.
Born in 1981, Duffie-Shriver is part of a generation that’s far less loyal to organisations believes Lowry and, coupled with economic pressures such as student loans, they may be far more likely to be tempted by offers such those alleged to have been offered to the American scholar.
The Aussie example is probably more concerning for managements as Hill was passing Australian Bureau of Statistics data ahead of its public release to Kamay who arranged trades. Their insider trading scheme netting Kamay seven million dollars.
Kamay and Hill present a far more typical risk to most organisations as employees motivated by greed, addiction or some vulnerability are much more likely to steal data. This is certainly a human, rather than technology, problem.
Ultimately the focus on technology, foreign hackers and government agencies in protecting an organisation’s data is missing the greatest risk of all in our businesses – the people. How we manage and treat staff is essential to securing information.