I’ve said before that much of your risk is internal. Here’s another piece of evidence: a survey by Sailpoint found that 27% of US employees would sell their work password for as little as $150. But of course it goes further than that. If they’ll sell their password, what else will they do? Will they take money to introduce some malware, connect a USB stick with an unknown payload, provide confidential documents?
Obviously as a security consultant, it’s my job to be paranoid. As an employer, it’s your job to build a culture of trust and respect. But you shouldn’t let that blind you to the possibilities. A UK study showed that about 0.6% of the population have psychopathic personality traits. This doesn’t mean they’re going to come over all Patrick Bateman, but they are likely to put their interests before yours. So if you employ more than about 170 people, you’re reasonably certain to have at least one bad hat; in fact the security industry rule of thumb is more like one in a hundred.
What can you do about it? You can hardly screen all your employees using the Psychopathy Checklist. Instead, consider:
Limit privileges. Most people have more access and more authority than they need to do their jobs. Either this is because they have accumulated privileges throughout their employment – they used to work in sales, now they work in account management, but they still have access to the sales pipeline data because no-one removed those rights – or it’s because working out exactly what each person needs just felt like too much work. Bite the bullet – the less they have access to, the less damage they can do.
Share responsibility (technically this is known as a “two-man control”). Make sensitive or risky activities – like cash transfer – need two people to effect. Requiring more than one person means they have to collude to defraud you, and that significantly decreases your risk.
Rotate roles. If someone is in a sensitive role, make someone else do it from time to time. Not only does this protect you against continuity risk in case the main incumbent suddenly becomes unavailable (see my top 5 BCP mistakes) but it also gives you a chance to find out what they’ve been up to. You can combine this with mandatory holidays – if someone never takes holiday, it might not be because they’re so dedicated – or have no life – but because they have something to hide. Send them to the beach for a week and have a good look through their files.
Enable audit logs, and tell everyone you’ve done so. If every file access, every change, every system log-in is recorded, many people who might otherwise have misbehaved will think twice. However weak your conscience, you still fear being found out. Naturally it’s better if you actually look at the audit logs from time to time, or use software to help you find unusual patterns of activity, but just the knowledge that they exist is often a sufficient deterrent.
Think of this as another reminder that security is about so much more than cyber risk. Don’t just leave it to your IT department – this is a board issue and should have a permanent place on your agenda, on your management dashboard and in your consciousness.