An organisation can put a swathe of security products in place to protect against external threats, but if there's a person working from the inside to steal information, those digital walls are basically useless. That's the nature of insider threats; the human element can be unpredictable and difficult to fight against.
Traditionally, it's an IT department's responsibility to deal with insider threats, given information is predominantly stolen through the use of technology. But high-profile security expert Keith Lowry, who was tasked with investigating Edward Snowden, believes that IT shouldn't be solely responsible because it undermines the human element of insider threats.
Lowry, who hails from the US, is an expert in insider threats. He was the leader of the Edward Snowden counterintelligence damage assessment team and the key investigator with the Bradley/Chelsea Manning investigation. Lowry has served as the chief of staff for one of the counterintelligence and security leaders at the Pentagon and was the former law enforcement officer and High-Technology Crime Unit detective with the City of San Jose in California.
He currently heads up Nuix's threat intelligence business global and is based in Australia. While he dislikes the term 'insider threats' because he believes even external threat agents can be considered an 'insider' as soon as they successfully break into a corporate network, he understands that it is predominantly associated with people acting from inside an organisation.
Having observed a ton of different cases of data exfiltration and breaches caused by either human error or deliberate attacks from employees inside companies over his 25-year career, Lowry believes that many companies around the world are misguided when it comes to protecting their digital assets.
"Billions is spent on software or IT products [for perimeter defence], but how much of that is wasted because people are still getting through?" Lowry said. He commented that it's difficult to defend against employees who may be voluntarily or involuntarily stealing confidential corporate information.
Lowry believes organisations are obsessed with the technology used in insider threat attacks but have forgotten that humans are the ones that are involved and orchestrating these attacks.
"It's not just an IT or CIO issue, it's a personnel issue," he said. "[An insider threat program] cannot be something that is put to the IT department; the moment you put taking care of individuals under the technology department, all of a sudden it becomes a technology problem and not a personnel problem."
When it comes to employees, many different departments within an organisation need to be involved, from legal to human resources. The problem is, it can be challenging to get these folks working together; different groups have their own priorities and rules to follow.
"The CIO takes a technological approach, the IT guy takes a defensive approach, the HR person takes the 'I can't take any action because I don't have the authority to do it' approach," Lowry said. "People are stymied in their ability to be able to cross all those boundaries at once to focus on [the human factor]."
He recommends putting one person in charge to oversee the coordination and cooperation between these disparate departments.
"We need one overarching person who has the authority and advocacy of org to take this this event wherever it geos and it spans across the entire organisation," Lowry said. He believes this approached should be used to deal with external cybersecurity threats as well.