Saturday, July 02, 2005

The Solid Insider Threat

I just got back from Nebraska and man are my arms tired (sorry, very old joke) but seriously, my brain did get tired. I took a very challenging creative writing course on the campus of the University of Nebraska at Lincoln. There will be more about the course, and the campus, in a later post...

Right now I'm going to have to talk about the latest round of data/ID theft/abuse. Seems like the year I decided to step back from the privacy/security/fraud beat that has been my life for the last 25 years, boom! The world has woken up to just how big a mess its data are in. Consider a couple of recent articles that awaited my return from the prairie.

First, a useful reminder from Paul Nowell of the AP, that insiders at data-rich companies are a major threat to privacy. This was very timely and Paul talked to some good people, including the man who should be this nation's IT-czar, Peter G. Neumann. Howell also talked to a vice president of marketing at San Francisco-based Vontu, a firm specializing in data loss prevention. Now, I don't know Vontu or the man in question, Steve Roop, but he got it right when he said "About 70 to 80 percent of the risk is from insiders, although not all of them are malicious..."

This had been the received wisdom about risks to information security for decades until, during the last five years or so, more and more people who were surveyed ranked outsiders, notably outside attackers using the Internet, as being more serious. Big mistake! There's no way--having read and understood the history of how humans abuse trust, technology, and information--you can believe the outsider is more of a threat to the security of your information than the insider. Sure, it might seem that way when you're trying to stop a bunch of zombies from DDoS'ing your web farm into submission, or you're trying to rid your network of some particular nasty virus. But the trusted employee who turns heel and walks across the street to the competition with an SD card full of your customer data in his shoe, that's still the biggest threat, partly because it is the toughest to mitigate.

And let's not forget 'the number of people surveyed' factor. If you ask 250 people who work in computer security to name the biggest threat to that security, what you get is an opinion, not a fact. Like I say, those folks may sure as heck feel more pain from outsiders. But them thinking it is so does not make it so. Furthermore, computer security is not information security, as the award-winning Chief Security Officer of Choicepoint has hopefully learned by now. I will make that point in my next post, tackling the IRS, Choicepoint and something I call data-flation.

No comments: