Is your staff a threat to your organization’s security?

A couple of thousand years ago the Roman poet Juvenal asked “Quis custodiet ipsos custodies?” That is, who will watch the watchers? In over 20 years of consulting, hand-holding, troubleshooting and securing networks one of the most frequently asked questions I hear from business leaders is “How do I keep sensitive data from the prying eyes of the network administrators?”

The answer has always been “trust.”

Now “trust” is a concept we come across almost daily in the identity management world where we even assign degrees of trust (or degrees of reliance) in data, identity providers, credentials, tokens and other authorization tools and artifacts. But “trust” in the administrators goes back to an older, broader meaning: “Firm reliance on the integrity, ability, or character of a person or thing.” There is only so much the technology can do, I always said, because someone has to be in charge of maintaining the technology and if you maintain it, you can subvert it. This did mean that a rogue admin could subvert the entire company, though.

That concept of trust, unfortunately, no longer can be used in this age of regulatory compliance as the driver of identity management. It’s no longer enough to believe that the administrator is trustworthy, you need to be able to demonstrate it. You also need to be aware of the problems that can occur because of an unwarranted trust in your IT personnel – and others.

Consul Risk Management CTO Kris Lovejoy recently published a thought piece called “The Enemy Inside”, which is a look at the threats insider attacks can pose to your enterprise as well as some basic steps you can take to mitigate potential problems. Two things really caught my eye. First, do you think you know the profile of an “inside attacker”? According to the Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center, the profile of an inside attacker shows he is generally:

* Male

* 17-60 years old

* Holds a technical position (86% chance)

* May or may not be married (50% chance)

* Racially and ethnically diverse

In other words, just about everyone in your enterprise.

The second eye-opener was the role of stupidity in security threats, according to Lovejoy:

* “Organizational stupidity: Systems administrators are highly sensitive to environmental stress (Source: CIA’s personality profile of an average IT worker). If the systems administrator is overworked, mistakes will happen. Unfortunately, in the security world mistakes can have incredibly significant and negative impacts.

* “Individual stupidity: This category includes accidental destruction, modification, disclosure, or incorrect classification of information; or failure to follow security policy or operational procedure, which leads to breach of system or information integrity confidentiality or availability. Again, according to the CIA personality profile of the average IT worker, IT workers resist authority, working outside the ‘playbook.’ While we didn’t need the CIA to tell us that, it should be noted that that human error is a significant threat to any organization.”

Read the whole piece, then think about how it applies in your organization.