External cyberthreats are on their way up. Just ask Target or the host of other companies that have been victimized by malicious actors. Government agencies aren’t immune: As noted by Wired, more than 5.5 million fingerprint records were recently stolen from federal employees. But according to a new memorandum from the Office of Management and Budget (OMB), the risk of an insider threat is also growing but is often overlooked. How do government CIOs and CISOs get a handle on extracurricular employee activities?
The Risk of an Insider Threat
While it’s easy to point the finger at external actors as the biggest problem in an organization’s cybersecurity plan, employees are often a far greater threat — some by malice, some through frustration and some purely by accident. SC Magazine recently spoke with RSA Chief Security Architect Rashmi Knowles, who argued that “people are the new perimeter” because, despite the growing number of malicious actors and easily accessible malware, “the weakest link in the chain is all of us.”
Data backs up the claim: SC Magazine noted that a Verizon study found that human error played a critical role in 66 percent of all network breaches. The problem? An insider threat is often seen as less serious than its external counterpart since it’s usually accidental or a one-off act committed by recently fired or chastised employees.
In a government setting, however, there’s a much higher likelihood that employees will have access to personal and confidential data, meaning that even an accidental data breach — such as losing a laptop or using a cloud service that isn’t approved by IT admins — could have serious consequences.
The same holds true for recently terminated employees. If IT admins don’t terminate network access quickly enough, the results could be disastrous. CSO Online, reporting on a recent Symantec survey, noted that 45 percent of federal departments were targeted by insider threats over the past year, with 29 percent losing data as a result.
Law of the Land?
Government agencies are waking up to the prospect of insider threats. The Symantec survey found that 76 percent of respondents have increased their focus on combating these threats over the last year and 55 percent already have a formal insider threat program in place. As noted by The Hill, legislation is also in the works to limit the risk of insider attacks. Homeland Security already has a new mandate from the House “to establish a program to identify and mitigate insider threats from rogue employees.”
The OMB’s plan, meanwhile, focuses on a combination of stronger identity and access management (IAM) through the use of personal identity verification cards along with improved employee training. Ken Durbin, the unified security practice manager for Symantec, noted that “training is most effective to better understand and prevent unintentional threat risks.”
CIOs and CISOs of government agencies now face a dual threat: external actors looking to steal agency data and internal personnel accidentally or deliberately exposing the department to greater cyber risk. A combination of legislation, authentication and training may help mitigate the problem, but there’s a higher-level takeaway here: Threats are threats regardless of origin or intention. Government security frameworks must be prepared to take on all comers.