IT security risks aren't just the result of software holes and determined cyber-criminals — insiders within the business also represent a risk. But do Australian companies take that prospect seriously enough?
Security picture from Shutterstock
The broad consensus from a Cisco-hosted press and analyst panel on cyber-security issues in Sydney yesterday was that the issue of internal threats often gets downplayed or ignored, especially by senior management.
"CEOs see cyber-security as being that extreme black swan kind of event — an external shock they can't control no matter how good their defences are," said Gary Blair, adjunct professor of the Edith Cowan University Security Research Institute. Internal threats often don't receive the same attention, he said.
"Within Australia we haven't talked about the insider threat sufficiently," Blair said. "We have a cultural setting in Australia that says we trust the people we employ. That's good — it leads to harmonious worker relations — but we have to recognise that potential for damage exists. My greatest concern is that scenario where you have an insider working with one of those threat actors — that's the worst possible scenario."
The notion of external attackers is apparently easier to grapple with, even if the likelihood is lower. "There's growing interest in how cyber-means can be used to disrupt business activities," said Dr Jason Smith, technical director of the Australian Government Computer Emergency Response Team (CERT).
"I actually think the insider threat is more inadvertent than intentional," said Alastair MacGibbon, general manager security for Dimension Data Australia. "It's an area which as a society we've failed to nail. We still put a lot of emphasis on the end user in the expectation they're going to have the right knowledge to make a decision. We increasingly will see technologies trying to design out some of those hard T-intersections that users come up to.
The way IT security is currently tackled may contribute to the issue. "Part of the problem is being called 'security', because the implication is that it's guards, guns and gates," said MacGibbon. "A broader approach requires tracking and understanding behaviour, not just controlling resources, he suggested. "It's not just about enabling, it's about understanding what happens on your network."
Drawing a hard distinction between internal and external threats may not be helpful. "Once an adversary has infected your computer, they're effectively an insider," Smith pointed out.
That doesn't mean external threats should be ignored either, of course. "My fear with the current risk management approach is that by the nature of our networks, there is no perimeter," MacGibbon said. "When you can scale and automate the attack the way you can, I don't think you're lucky in finding it — I think you just find it. You can't boil an ocean, but eventually you need to."
User training is critical. "Users need to take a responsibility to learn," said Steve Martino, Global VP of information security for Cisco. "They should not just assume every action is protected."
That training has to be both funded and delivered effectively, however. "I don't think we are really great at engaging with employees and saying 'This is how we should be acting'," MacGibbon said. "It's about understanding the potential damage your actions cause."
Solving that problem doesn't just involve using conventional IT. Some research suggests that analysing internal email can help identify potential insider threats. Developing our understanding in those areas will require detailed research, an area where Australia isn't performing as well as it could right now.