The Trusted Insider
When the whistle becomes a scream.
Share This Article:
The Scream by Edvard Munch is said to be an autobiographical expression of anxiety. However, consider its application to the realisation of the damage done by a trusted insider.
Imagine waking up to read in the media about your company’s information loss or your agency’s penetration. Or perhaps in your office (usually a Friday afternoon) being advised by your CIO or CFO that something dreadful has happened.
The loss could include assets, finances, intellectual property, reputation, and client confidence. In some extreme cases, even loss of life.
In our last article in this three-part series, we considered whistleblowers – those with a genuine concern or grievance bringing the issue to the attention of authorities or a wider audience outside the organisation.
What’s the difference between a whistleblower and a trusted insider?
The Australian Cyber Security Centre (ACSC) advises that “a trusted insider’s system access and knowledge of business processes often makes them harder to detect”.
But what makes a member or partner of an organisation a trusted insider? Motivation is key. Is it truly to expose a wrong or is there a deeper personal motive?
Edward Snowden is defined by many as a whistleblower advising an unsuspecting American public in 2013 of the overreach of the NSA. Others have described him as a narcissist with unrequited ambition having falsified education records to gain employment.
Whilst employed by the CIA he had a record of non-compliance with information management procedures prior to him gaining employment with Booz Allen and Hamilton as a consultant to the NSA. Thinking back to our first article, like the alleged perpetrator of sexual assault in Australia’s Parliament House, Snowden had prior form.
The contracted vetting agency that provided Snowden his clearance also cleared IT Contractor Aaron Alexis, otherwise known as the Navy Dockyard Shooter, who killed 12 people at the Washington Navy Yard in 2013. During his Navy Service, he had eight instances of misconduct, police records for mischief involving a firearm and a report he made to police in 2013 claiming to be a victim of harassment and hearing voices.
Both Snowden and Alexis had a record of issues that should have alerted their employers, let alone those conducting their security vetting.
How well do you know the people joining your organisation or being given access to your network be they employees, contractors or partners? How robust was their vetting and how is their current behaviour being monitored from a security risk perspective?
Are there people with access to your systems suffering addictions or other personal circumstances that make them vulnerable? Gambling is a common addiction behind fraud, where they see no way out to feed their addiction than stealing from their employer. And this is especially enabled when they hold a position of trust.
Consider the case where over $3.7 million was stolen from a small business and put into the pokies, or when the Australian Federal Police Commissioner’s right-hand man, Gary Fahey, was charged with fraud. Both TRUSTED Insiders.
So far we have been discussing insiders, that is people on the inside of an organisation.
All organisations also face external threats
Commercial competitors, disaffected former employees, criminal entities through to foreign state actors. Protecting against these, or a combination of these threats is challenging enough.
But what if they partner with an insider?
External threat actors may seek out those with vulnerabilities inside an organisation or an insider might go looking for external partners – as was the 2019 case of the head of Royal Canadian Mounted Police Intelligence. Note the line “Despite repeated complaints about his conduct by intelligence centre staff”. Another example of prior form.
This alignment of external threat with an internal vulnerability is extremely dangerous as the insider is often no longer in control, the external threat actor is.
So, what can be done?
Well a good place to start is to assess the threats, risks, and treatments as part of developing a Trusted Insider Program.
In their November 2020 Update, ACSC advised of two new controls:
- Security Control: 1625; Revision: 0; Updated: Nov-20; Applicability: O, P, S, TS A trusted insider program is developed and implemented.
- Security Control: 1626; Revision: 0; Updated: Nov-20; Applicability: O, P, S, TS Legal advice is sought regarding the development and implementation of a trusted insider program.
So, how is your Trusted Insider Program progressing?
When the whistle becomes a scream.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.