In his presentation at the RSA 2010 Conference, Donn Parker mentioned unknown-unknowns, those items that you are not aware that you don’t know about. He raised a laugh from the audience when he said that the real problem is that many do not know that they don’t know what they don’t know. Though said in a joking manner, Donn was serious about this issue. Perhaps the greatest threat to information assets comes from not being able to discern what is happening with your precious data.
For this reason, I believe that reports such as the VerizonBusiness Data Breach Report, do the profession a disservice by playing down the insider threat. Some estimates show insider breaches to be some 70 percent of total corporate breaches. I think that this is a low number, because so many are not detected and go unknown for several years (as in the HSBC case) or forever. Couple that with the estimate that perhaps 70 percent of breaches are at the application level, then we see that perhaps the largest vector for breaches is the insider compromising applications.
So what does that suggest? To me it suggests that the focus on application security and software assurance, which I have been pushing for about a decade, is needed if the main source of breaches is to be stemmed. Incidentally, the aforementioned VerizonBusiness report does say that each insider breach results in a much higher cost to the organization than do other forms of attack.
Popularity: unranked
One Comment
Hi Warren.
I remember this insider versus outsider threat business blowing up about 5-10 years ago, when surveys were finding apparently contradictory numbers: external threats and attacks are far more numerous but most are trivial, while insider threats and attacks are more insidious, more successful and (probably) far more costly in total. It makes sense than insiders have the long-term access, insider knowledge and plenty of opportunities to explore and probe weaknesses in internal controls. Frauds, in particular, involve deliberate deception and concealment, so I am 100% certain that we don’t know about all of them. On top of that, management are much less willing to admit to insider problems than external ones, so even good surveys are probably underestimating the scale of the insider problem.
There’s another issue here too – the matter of plausible deniability. It is much easier for a wayward insider to claim he/she ‘accidentally’ tried to access the wrong system, ‘borrowed’ a colleague’s account, ‘clicked the wrong button’ or whatever, than for a hacker or other outsider to come up with a legitimate excuse for the same. That gives insiders the time to explore and probe the controls at will without much fear of discovery or recrimination. Large frauds tend to be preceded, I gather, by small frauds and incidents in which the fraudsters test out their approach, confirm that the preventive and detective controls are missing or inoperative, and plan The Big One. Outsiders may only have one reliable chance to commit the fraud, so they are more likely, I suggest, to go straight for The Big One.
Anyway, thanks for setting me thinking this morning!
Kind regards,
Gary