It takes more than technology to defeat a threat from inside the company. The ongoing WikiLeakssaga, and the associated, repeated unauthorized disclosures of information, is more than an escapade against the government. These leaks dramatically document the exposure that confronts all enterprises from trusted individuals, be they careless or malicious.
Insider threat isn't always or necessarily deliberate; accidental disclosure can lead to dissemination of information into the wrong hands and do harm to a company's bottom line or individuals' careers or reputations. It is human behavior that puts critical information at risk. Both organizational and technological considerations are required in order to address the threat that insiders pose to information security.
The Human Behavior issues
Organizations are at risk because they have both sensitive information and people who have authorized access to it. And, a third element: someone else who wants it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled --or uninformed-- authorized user can still find ways to steal or lose information.
The challenge is to evolve the layers of information security defenses to reduce that exposure. You will never be able to completely eliminate the risk as there has to be a level of access for people to perform their jobs. Also while technology can be an enabler it will never be able to close all the holes.
It is common to say that "people are the weakest link in the security chain." But in reality this means that people are the link for which we have the weakest understanding. As users continue to gain more decision-making autonomy they also bear a greater responsibility and need additional support to mitigate information risks.
In the course of trying to perform their primary role, well-intended employees may and will make security trade-offs that may not aligned with the organization's best interests. That is because employees focus on their primary work tasks; the behavior required by the security-enabling tasks often presents an obstacle to that goal.
Additionally, if allowed, they make these judgments based on their own perception of risks, judgments which can be misaligned with reality. Employees then make cost-benefit computations on their own terms without having all of the facts or authority to assume the risk. As a result, employees may do the wrong thing from an information security standpoint in an attempt to do the right thing from a business and personal standpoint.
Understanding human behavior is critical to maximizing the efficiency and effectiveness of enterprise information protection tools and strategies. This approach will also appeal to both well-meaning users' emotions and their intellect, where you can align security trade-offs, achieving a more favorable security posture for both the organization and its users.
Mitigating the risk of insider threat
An insider attack may well be rare; but the consequences of such an attack on a corporation's data grow in severity as the value of that data grows.
And, in this fully connected world, there are no private tragedies. A growing body of civil law--to say nothing of public sentiment-- demands the public shaming of any enterprise that leaks other people's data. Because data comprises an increasing fraction of total corporate wealth, financial regulations treat data loss events as inherently material; thus, such matters are elevated to the Boardroom level. In order to ensure protection against insider attack, designers of national policy are now proposing to mandate a periodic inspection regime within the officially-designated critical infrastructure.
To be an insider, the individual --the would-be perpetrator-- must already have passed through an access control gate, by definition. Since the perpetrator is already inside the gate, access control is not, nor can it be, a deterrent. An inside perpetrator, to do his or her job, must have authorization credentials congruent with the task they must do. So, they are either trusted individuals or have discovered a way in. In either case, authorization systems are not deterrents to insider threat, though they may bound the downside consequence, to a degree.