The typical story about insider threat is about theft or fraud. Here are some recent articles. This is a real and present danger.
But there is another category of internal issues... accidents.
One very graphic example with which many people are familiar is the story of Bob Quick. This was an unfortunate situation in which Mr. Quick, a senior law enforcement officer, on his way to a briefing at 10 Downing Street, inadvertently exposed (physically) a secret document detailing a pending anti-terrorism raid. This caused the operation to be greatly accelerated and compromised the overall effectiveness.
Mr. Quick was both well-respected and a leadership position. I am not bashing Mr. Quick but pointing out that anyone with access to sensitive information can make a mistake that can expose that information.
We read about hacking and stolen information all the time. For how many of these is the root cause accidents/mistakes? Unpatched systems, incorrect configurations, not following process, vulnerabilities in new software, debugging settings left in production systems, unencrypted (lost) media, lost devices,... these situations can all lead to some kind "hack" and subsequent data loss. But these are all accidents! (one of the best sources of data loss information is the OSF Datalossdb)
And it's not just information that's at risk. All organizations dependent upon technology suffer some kind of outage from time to time. How many of those are caused by accidents or mistakes? Consider issues like: fiber cuts, system maintenance issues, routing/re-routing issues, and many others.
The well-known CSI/FBI Computer Crime Survey has started to differentiate between malicious and non-malicious insiders. The equally well-known Verizon DBIR does not. If you don't read these reports, you should!
Now, this is absolutely not about blame or pointing fingers. This is about identifying an issue and helping good, honest people do the right thing. I think that many accidents happen because good people are trying to get work done fast. And perhaps sometimes this is caused by security people putting too many hurdles in the way?
So what do we do about this?
CERT does some great research on this issue. They list a set of good practices including:
- Document and enforce policies/controls.
- Provide security awareness training.
- Use Separation of Duties and Least Privilege.
- Use additional controls for privileged users.
- Use Change Control.
- Log, monitor and audit.
- Have an Incident Response plan.
- Limit the number of trusted people.
- Ensure that trusted people are trustworthy.
- Limit the amount of trust each person has.
- Use overlapping spheres of trust.
- Detect breaches of trust.