Everyone asks me what the greatest theat to security is. They are visibly disappointed when I give them my answer. I think most of them expect me to say, "China! They are out to get us!" or, "The Russian Business Network - they are wicked smart!"or, "Cybercriminals, they are always after your money." These are real threats and you need to protect yourself from them.
I believe there is a bigger threat, and dear reader, I believe it is you or maybe your co-worker.
Are you Mr. Incredible? You do it all - juggle kids, work, family obligations. This requires you to take work with you everywhere you go.
You have work to do but your kid's soccer game is coming up. Well, just download 3.3 Million borrower records to your thumb drive and you are in business. Can work anywhere. You might be able to work in the car while your kid's team warms up.
Well, Mr. Incredible, if you worked at ECMC, you just created the largest most incredible breach ever.
We don't know why an employee downloaded to a thumb drive, 3.3 million people's student loan records, but we will soon. 3.3MM people equates to as many as 5% of all federal student-loan borrowers. Their data is on a thumb drive that is now missing.
Not to worry, students, I think it only had on it your Names, addresses, Social Security numbers and other personal data.
This particular Mr. Incredible works in St. Paul, Minn., at the headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans.
You will be glad to read this quote from the ECMC spokesperson, Paul Kelash: "It was simple, old-fashioned theft. It was not a hacker incident." Wow, that is comforting!
This is right on the heals of another data theft earlier in March 2010, a former employee of HSBC Holdings PLC allegedly stole data on about 24,000 Swiss private-bank accounts.
The conversation about the insider threat, is the non-sexy side of security but it can cause some of the greatest chinks in the armor. The “insider threat”, is often like carbon monoxide poisoning, silent and hard to detect. I break the threat down into three character profiles:
1. Robert Hanssen
2. Eve from Wall-E
3. Mr. Incredible
Robert Hanssen – Intentional:
Robert Hanssen was a former U.S. FBI agent who turned over information to Russian intelligence services for cash and diamonds. It is also suspected he did it because he wanted to prove something to himself and others. This employee-type knowingly wants to cause harm either because they want to make a buck or because they feel it is their version of payback time.
Eve from Wall-E – Unintentional Public Disclosure (Think Millenials):
Eve is on a mission and she wears that mission on her chest. She’s after plantlife and she does not care who she broadcasts that mission to. She cannot keep a secret and she is overjoyed and beams when she finds plant life. The generation joining the workforce now and for the next 10-15 years is a lot like Eve. When they experience emotions, they will wear them openly via cyber space. That openness may also include blogging, tweeting, and Facebooking posts about the latest project they are working on.
Recently, an over exuberant Microsoftie was caught talking about the virtues of Windows 8. His posts have been removed. Before they were, we did manage to learn that the next version will be “unlike anything users expect of the operating system”. And that they are moving to 128-bit. A tough blow for their competitors and for bad guys that want to be ready to hack the new version the moment it arrives.
Mr. Incredible – Accidentally Breaks Your Defenses:
Your model employee, the hidden threat until it’s too late:
I love Mr. Incredible. He has great strength and a heart of gold. He wants to take on the world and use his talents but was forced to hide his talents within the system. In one scene, in striving to do what is right and just, he accidentally injures his own boss.
I tell organizations that their biggest threat may actually be their Mr. Incredible employees. These are the people that will do whatever it takes to work for you days, nights, weekends, and holidays. They are the fearless defenders of creating the latest report or implementing the last technology for your company. If that means downloading tons of information to a portable device so they can work on their vacation, they will. If it means throwing the laptop in the car on the way to pick up their kids with a stop at the grocery store and the laptop is left unattended…whoops! They do not mean to put the company at risk but their drive to get it done exposes your data.
The missing data costs your reputation, puts your intellectual property at risk, may expose innocent people to identity theft, and can create lengthy, costly lawsuits. Just ask the VA. A model employee was working on VA business at home and their home was burglarized. A VA laptop was among the stolen goods and had the Social Security numbers of 26.5MM active duty military and veterans on it. The VA has agreed to pay $20MM to settle a class action lawsuit. In a true miracle mix of skills and luck, the FBI managed to recover the stolen laptop and it is believed the data was not used by the criminals.
Until we deal with the insider threat, I will not run out of blog posts!
As always, would love your comments and feedback.