Are Insider Threats IT’s Fault?

Asking this question might be considered edgy, so I’ll start by answering: No. Well, not exactly — not on purpose anyway.

As an IT professional, you might ask yourself, “Seriously? Insider Threats are my fault?” I’m certainly not trying to alienate you. I’ve been in IT for over 20 years and know the hard work that IT Pros put into their job. If you’re like most IT pros, you strive to make your environment more secure. Doing so sometimes requires re-examining your own practices to ensure that you’re taking the proper steps.

So, how can Insider Threats be IT’s fault at all?

Let’s work backwards from the threat and see where IT may be playing a role. We’ll start with an insider — a user in the company — who commits a heinous act, such as data theft, fraud, or even corporate espionage. In most cases, according to the 2014 Data Breach Investigations Report from Verizon, the insiders are simply misusing the permissions they’ve been granted.

Your initial reaction might be, “Hold on a second — that’s not my fault!” So far, you would be absolutely correct. But let’s keep going: we need to first address whether these perpetrators have the right permissions — or more to the point, just enough permissions to accomplish their job. If they have only the permissions needed to do their job, IT is off the hook. But if they have too much access — well beyond what they need to do their job — wouldn’t you agree that IT is a little to blame? Of course it’s not IT’s fault that the perpetrators committed some kind of illegal behavior, but if IT hasn’t been vigilant in locking down permissions, can we at least agree that IT could have done something to stop it before it happened?

In a recent Ponemon study¹, 54% of end users stated that they frequently or very frequently have access to information they shouldn’t. Think about that for a moment. More than half your users are frequently accessing — opening, reading, copying, printing, and forwarding — information they shouldn’t have access to.

So how did they get that access in the first place?

Here’s where the heart-to-heart conversation needs to happen. IT gave it to them. If you’re like just about every other IT organization in the world, you grant permissions via Groups within Active Directory. And it’s probably been a (very) long time since you’ve looked at those groups to see:

• who’s a member,
• which permissions were granted to those groups across the organization, and
• whether nesting is involved in unintentionally granting more permissions than intended.

Don’t believe me? Believe your users. In that same Ponemon study, 47% of end users said that IT is not strictly enforcing its own policies against misuse or unauthorized access to company data. Need more proof? Believe your peers. 80% of IT pros surveyed said that their organization doesn’t enforce a strict least-privilege data model. It’s a bit disheartening, but true. And while you’re not intending to cause insider threats, it may be the case that you’re doing less than you should to minimize the possibility of these threats happening.

To read more on this topic, check out the Imanami whitepaper, Managing AD Groups: Simple IT Headache or Security Hazard?

¹ Ponemon, Corporate Data: A Protected Asset or a Ticking Time Bomb? (2014)