Shhh… Can You Keep a Secret? Protecting Against Insider Threats
Et Tu, Brute? When Trusted Insiders Betray
As history buffs and Shakespeare fans know, the Roman dictator Julius Caesar had much to fear from his colleagues during the Ides of March. Caesar’s power grabs and dictatorship had alienated many, even those he thought were allies. On 15 March, 44 BC, Caesar was assassinated in the Senate chamber by a group of senators, including his dear friend Marcus Brutus. Upon seeing Brutus among the assassins, Caesar supposedly uttered the famous words “Et tu, Brute?”, a Latin phrase meaning “Even you, Brutus?”, and resigned himself to his fate. The words have lived on and come to represent the ultimate betrayal by the most unexpected source, such as a trusted partner or family member.
In the 21st century, most betrayals aren’t so violent, but many are still profoundly damaging. The press archives are littered with stories of people and institutions betrayed by trusted colleagues, including the most innocuous-looking worker bees. The trust that organizations place in their workforce can leave them vulnerable to malicious employees, who often use clever methods to hide their illicit activities. Whether through corporate espionage, embezzlement, data theft, or just plain old double-crossing, the trusted insider may have the power (and often the will) to bring an organization to the brink of disaster. The infamous NSA data leaks and various well-publicized thefts of corporate resources (including intellectual property, customer lists, or money) have prompted executives to consider how best to protect their crown jewels from malicious insiders. They also want to know how to ferret out potential problem employees before they have an opportunity to cause harm.
First Step to Protecting Against Insider Threats
A good first step is to improve your understanding of the problem, then develop a multi-prong approach to combating insider threats. There’s plenty of resources available to help, including the “Common Sense Guide to Mitigating Insider Threats”, a technical report produced by Carnegie Mellon University with funding from the U.S. Department of Homeland Security. Recognizing that insider threats have multiple causes, the guide describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats.
The recommended practices include practical IT security tips such as:
- Cloud services security agreements
- User activity monitoring
- Proactive privileged identity management
- Separation-of-duty enforcement
and also legal and HR policies such as:
- Implementing background checks
- Implementing employee termination procedures
- Conducting security training
- Managing negative issues in the work environment
- Monitoring suspicious behavior
Restrict Privileged Access
Another common-sense recommendation for preventing security breaches is to restrict privileged access to as few people as possible and keep watch over those who do. Too often, organizations give employees more access to systems and data than they really need to do their jobs. They also fail to monitor or disable accounts for third-party contractors when their work is done, or delete access privileges for ex-employees. Finally, some firms don’t effectively monitor and audit IT administrators, including service providers, to ensure they aren’t abusing their powers. As the old axiom says “Trust, but verify.” See Axel Buecker’s blog What Do You Mean I am No Longer Privileged? for more on this topic.)
Keeping honest employees honest and routing out those who aren’t requires a combination of tools and activities, including risk assessments, clearly understood and enforced policies and procedures, stringent privileged access controls, and insider threat awareness. While no one is advocating rifling through employees’ in-boxes looking for signs of malfeasance, it is prudent (and often a compliance requirement) to implement IT security solutions that log, monitor, and audit employee actions. That way, unlike Caesar, you can identify and address security threats before they cause your undoing.