EDITORIAL
You’re only human “Technology is part of the problem, not part of the solution. The only thing systems have in common is that they all fail”. These were the words of Ian Angell (dubbed
The insider threat is particularly deadly
‘Angell of doom’ by UK press), professor of
because it has the ability to bypass the
information systems at the London school
physical and logical controls you’ve put
of economics.
in place to protect the perimeter of your
Angell was perhaps a strange choice
network. In addition, the insider threat has
for keynote speaker at the Black Hat Las
already obtained credentials to access a
Vegas conference. Yes, he’s insightful and
significant portion of your infrastructure.
knowledgeable, and yes, he kept those
The Verizon 2008 Data Breach
who’d been playing roulette until the
Investigations Report, which looked at over
early hours not only awake, but laughing
500 serious security breaches over the past
throughout, but to tell an audience of
four years, says external security breaches
thousands of IT security professionals
generally compromise a median of 30 000
that technology, on which their livelihoods
records, while an insider security breach
depend, is “a road to ruin”? Brave.
results in data loss affecting a median of 375
Of course, in a sense, he’s right. All technology does have the potential to fail at
000 records. Attacks from insiders are more damaging,
any time. However, on the current security
and not only statistically. Seeing your
landscape, I think there’s a bigger issue at
organisation hit by somebody you instilled
stake - people.
trust in, is not only a blow to confidence,
An insider threat can be somebody abusing their position of trust for malicious gain. More commonly however, the insider
but also to morale, causing psychological damage as well as monetary. As we continue to witness our government, and other public and private
threat is someone who causes damage to
organisations displaying their inability to
their organisation unintentionally, either
secure our data, and we watch vendors
through ignorance or lack of education. And
scrambling to advertise their technology as
then who’s to blame? The organisation who
‘the solution’, most people are neglecting
failed to train their employee in information
to recognise the most obvious and most
security, or the employee who should have
essential protection of all – education. In this
used their common sense?
issue’s cover story (p.14), Cath Everett gets
But as obvious as it is to all of us that
to grips with why two thirds of the worst
HMRC confidential data should not be
security breaches over the past year have
put onto a disc and into the post, and as
had an internal cause, and offers advice on
ridiculous as it seems that a civil servant
good security practice.
would leave top secret documents on a
Of course, I’m not advocating that
commuter train, hindsight makes it all the
technology is redundant, it’s certainly not.
more apparent.
What I am suggesting is that while ‘belt
Human error is as certain as technology failure. People make mistakes. It’s impossible to eliminate this risk.
and braces’ is an old-fashioned phrase and concept, its relevance could never be greater. Secure your organisation with the necessary
People are unpredictable, and even when
technology, and then educate your people.
educated and information security savvy,
Be aware that 100% security isn’t possible,
there’s still the potential for oversight.
understand that both people and technology
While education can go a long way towards
can and will fail, and make sure that when
reducing the risk of the accidental insider
they do, you’re ready to pick up the pieces.
threat, it does not help to protect against
Take care,
the malicious insider threat.
Eleanor Dallaway
While ‘belt and braces’ is an oldfashioned phrase and concept, its relevance could never be greater. Secure your organisation with the necessary technology, and then educate your people
SEPTEMBER 2008
7