Dark Reading has a couple of articles they’ve posted over the past two days that I found to be interesting. The first article was posted yesterday and tells a story about a risk management professional who made off with some intellectual property (I posted a couple of comments over there you may be interested in reading). The second article is about end users and their attitude toward security. Both articles provide data points in support of two truths to which security practitioners should pay attention.
First, the insider threat is always a threat. You can never mitigate that threat to zero, unless you’re the only employee in your company, and you provide no one else any level of trust above that of an outsider with respect to your information systems. Second, for most enterprise environments end users will never care about security as much as you do.
Here’s what these truths they say to me. If the insider threat is always present, all you can do is your best at mitigation. This is a case where the phrase “best practices” rings true. Understand the roles played by the individual, manage your access controls accordingly. Do your background checks, and even re-run them from time to time (talk to your HR or legal department first). Configure your SIEM to look for specific events that may be indicators your “insider” is behaving poorly – it helps to work with HR to coordinate efforts here.
Now, if end users will never care about security, we practitioners can either complain about it, or change. I recommend changing. The truth is that security all too often gets in the way of productivity, and we should always strive to do our best to make security as transparent or usable as possible to end users. The more transparent or usable security becomes for the end users, the better off we’ll all be. At the end of the day, end users have a job to do, and that will trump security more often than not – rightfully so under many circumstances.
I’m curious to know whether our readers agree, disagree, or have other thoughts about these truths. To restate: You can never mitigate risks posed by the insider threat to zero, and you will always have end user apathy. What do these truths say to you?