While many people are concerned, and rightfully so, about the threats posed to their networks by sophisticated hacking schemes, the reality is that insiders, those employees and contractors who have already been authorized to access to sensitive information, are the ones who present the greatest risks to organizations. However, despite the dangers of insider threats, which can either be malicious, intentional acts or simply the result of careless behavior, organizations in both the public and private sector, have had a difficult time trying to get a handle on the problem.
Nowhere is this more evident than in federal government where IT managers say insider threats present an ever-increasing challenge. In fact, according to a recent survey conducted by MeriTalk, a public-private partnership dedicated to improving the outcomes of government IT, 45 percent of 150 federal IT managers polled reported that their agency had been the target of an insider attack in the past 12 months, while 29 percent said their agency had actually lost data to an insider incident.
According to Steve O’Keeffe, founder of MeriTalk, despite the fact that so many agencies have been targeted by an insider attack, just over half of the IT managers surveyed said their employees do not follow all the protocols in place. Furthermore, 65 percent said that it is common for employees and/or contractors to email documents to their personal accounts and 40 percent reported that unauthorized employees access government information they shouldn’t at least weekly.
“That’s a big disconnect,” said O’Keeffe. “We are all human and people make mistakes, but agencies need to ramp up their security systems in order to produce a second line of defense when threats fall through the cracks.”
Despite the fact that 76 percent said their agency is more focused on combating insider threats today than they were one year ago, the results of the survey also show that agencies may be overlooking basic security measures. Just 39 percent of those surveyed said employees were offered annual, in-person security training.
“There are many reasons why in-person security training hasn’t been more of a priority, and it varies across all agencies. But one thing we can agree on is that frequent training is most effective to better understand and prevent unintentional insider threat risks,” added O’Keeffe. “The more often agencies remind their employees to update passwords, and other protocols to prevent breaches, the more likely they will be to comply.”
Fewer than half of those polled said they employ two-factor authentication or endpoint encryption agency-wide. The reasons, according to O’Keeffe, are the costs involved and the fact that the government is still running legacy systems, some of which date back as far as the 1960s.
“It’s impossible to apply two-factor authentication and email encryption when the systems being used in today’s government are that outdated,” he said.
Perhaps one of the problems is that IT managers can’t come to a consensus on exactly what the best way is of preventing insider threats. When asked what they believed the “linchpin” to preventing insider threat activity was, 40 percent said security technology, 40 percent said end-user education/training and 20 percent said additional controls/guidance.
“People, process, and technology are all critical to battling threats on the frontlines. If they adopt a holistic approach to preventing insider threats, then they can greatly reduce the threat of an inside breach,” said O’Keeffe.
One way to get federal agencies to recognize the benefits of both technology and education in preventing insider threats, according to O’Keeffe, is to conduct internal phishing attacks.
“The employees who open up the email scam should go to training. Utilizing these exercises is a great way for agencies to better understand unintentional insider threats, while also increasing in-person security training,” he said.
On a positive note, O’Keeffe believes that because so many agencies indicated that they are now more focused on mitigating the threats posed by insiders than they were just a year ago that that is a step in the right direction.
“The faster they adopt insider threat programs and leverage government-wide efforts, they will react more quickly to threats,” he explained. “On the other hand, the findings discovered that more than 40 percent of agencies cannot tell the moment a document has been shared, or how – that’s not good. Robust security systems are needed for a reason, and this is one of them.”
In addition to adopting a holistic approach, O’Keeffe said that agencies should start developing and executing formal insider threat programs, as well as scale up their training efforts and technology solutions.
