Trouble on the Inside

Snowden and Manning introduced the world to insider threats. Not only do we know what that means now, we also understand how difficult it is to stay ahead of such threats.

But with the expansion of mobile technologies and increasingly sophisticated threats – both inside and outside – the whole nature of cyber defense is transforming before our eyes. What worked a short while ago can no longer be expected to do the job.

Guarding the Perimeter Won’t Cut It
“Identify and protect” used to be the standard defense, notes Symantec Senior Vice President and Chief Information Officer Sheila Jordan. But that doesn’t represent an effective approach any longer, she told the Symantec Government Symposium recently.

“Identify and protect is where we have historically been, and for a long time that served a great purpose. But now we need to move to…‘detect, recover, and resolve’ as fast as we possibly can,” Jordan said. “I want to detect, recover, and resolve an incident before a person even knows what happened.”

In the same way, cybersecurity is no longer just about guarding the perimeter. In fact, it’s not even clear where the perimeter is any longer.

Crumbling Walls
The rapid growth of mobile devices and the growing phenomena of the Internet of Things are expanding exponentially both data collection and the ability to access it. More data and more access points make security more difficult.

“The four walls of an enterprise have crumbled,” said Jordan. “There are no four walls anymore. So the data is traversing… in and outside the firewalls, with the devices, back into the devices, oh, and I forgot to mention apps and cloud. So I don’t think we have a choice but to figure out how we’re going to have end-to-end security architecture and how that’s going to traverse around the data so that ultimately we’re protecting that data (from) inside and outside threats.”

Introducing Analytics
Government Acquisitions Chief Technology Officer Prem Jadhwani agreed. Jadhwani, who joined Jordan at the Symantec Government Symposium, said analytics can help organizations look at the mountains of data coming in from various sources and correlate the data.

“I see big data as a perfect solution to solve cyber problems,” he said.

But when?

“It’s happening faster than you think,” Jordan said.

That “Oops” Moment
Not every data breach is the work of a malicious insider, of course. Organizations have a harder time protecting data from well-meaning employees who unintentionally expose information or systems to risk. Well-meaning vendors can also slip and disclose data accidentally.

“Insider threats aren’t just your employees,” Michael Dent, Chief Information Security Officer, Fairfax County, Va., said. “They also are your contractors, your vendors, your volunteers, potentially, that come in and work for you. We had a vendor who took data from the county on a USB, very innocently… and he ended up exposing some county data for over two years on an unsecured file share from his company.”

In fact, 22 percent of data breaches last year resulted from employees accidentally making data public, while only 8 percent were the result of insider theft, according to Symantec’s 2015 Internet Security Threat Report.

Jordan calls unintentional data breaches “a huge learning opportunity.”

Where to Start?
The public sector has a long way to go to build mature insider threat programs, Steve Smith, Insider Threat Program Coordinator at the U.S. Department of State.

“We’re nowhere near where we need to be,” said Smith.

Organizations that want to build an insider threat program should focus on what data they want to protect and then put the technology in place to keep it safe, said Jadhwani. That includes encrypting it and using two-factor authentication.

Institutions then need to understand which employees have access to the data that requires protection.

“Look at your privileged users,” said Jadhwani. “See what they are doing. Rather than waste time on who’s trying to come from outside, let’s look at where our crown jewels are, and let’s focus our attention there. I would say it doesn’t stop with technology. I have an acronym for that – BEST. ‘B’ is the background investigation, ‘E’ is employee behavior, ‘S’ is situational awareness, and ‘T’ is training. If you combine all the policy, tools, and technology together… it will work, and it will pay dividends.”

Learn more: Listen to the full discussion on insider threats, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.