Insider Threat – Not Knowing That You Don’t Know What You Don’t Know

In my column “All the Way from RSA,” posted on April 5, 2010, I refer to the article “France Got Stolen HSBC Data” by Deborah Ball and David Gauthier-Villars in the Money and Investing section of The Wall Street Journal published on March 12, 2010. Not only does this appear to be a case of lack of monitoring capability, but it also highlights the fact, which I have been propounding for some time, that many insider breaches are not detected by the victim organization, but through chance events.

One Comment

  1. Gary Hinson May 14, 2010 at 6:01 pm | Permalink

    Hi Warren.

    I remember this insider versus outsider threat business blowing up about 5-10 years ago, when surveys were finding apparently contradictory numbers: external threats and attacks are far more numerous but most are trivial, while insider threats and attacks are more insidious, more successful and (probably) far more costly in total. It makes sense than insiders have the long-term access, insider knowledge and plenty of opportunities to explore and probe weaknesses in internal controls. Frauds, in particular, involve deliberate deception and concealment, so I am 100% certain that we don’t know about all of them. On top of that, management are much less willing to admit to insider problems than external ones, so even good surveys are probably underestimating the scale of the insider problem.

    There’s another issue here too – the matter of plausible deniability. It is much easier for a wayward insider to claim he/she ‘accidentally’ tried to access the wrong system, ‘borrowed’ a colleague’s account, ‘clicked the wrong button’ or whatever, than for a hacker or other outsider to come up with a legitimate excuse for the same. That gives insiders the time to explore and probe the controls at will without much fear of discovery or recrimination. Large frauds tend to be preceded, I gather, by small frauds and incidents in which the fraudsters test out their approach, confirm that the preventive and detective controls are missing or inoperative, and plan The Big One. Outsiders may only have one reliable chance to commit the fraud, so they are more likely, I suggest, to go straight for The Big One.

    Anyway, thanks for setting me thinking this morning!

    Kind regards,

Post a Comment

Your email is never published nor shared. Required fields are marked *