It takes more than technology to defeat a threat from inside the company. The ongoing WikiLeaks saga, and the associated, repeated unauthorized disclosures of information, is more than an escapade against the government. These leaks dramatically document the exposure that confronts all enterprises from trusted individuals, be they careless or malicious.
Insider threat isn't always or necessarily deliberate; accidental disclosure can lead to dissemination of information into the wrong hands and do harm to a company's bottom line or individuals' careers or reputations. It is human behavior that puts critical information at risk. Both organizational and technological considerations are required in order to address the threat that insiders pose to information security.
The Human Behavior issues
Organizations are at risk because they have both sensitive information and people who have authorized access to it. And, a third element: someone else who wants it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled --or uninformed-- authorized user can still find ways to steal or lose information.
The challenge is to evolve the layers of information security defenses to reduce that exposure. You will never be able to completely eliminate the risk as there has to be a level of access for people to perform their jobs. Also while technology can be an enabler it will never be able to close all the holes.
It is common to say that "people are the weakest link in the security chain." But in reality this means that people are the link for which we have the weakest understanding. As users continue to gain more decision-making autonomy they also bear a greater responsibility and need additional support to mitigate information risks.
In the course of trying to perform their primary role, well-intended employees may and will make security trade-offs that may not aligned with the organization's best interests. That is because employees focus on their primary work tasks; the behavior required by the security-enabling tasks often presents an obstacle to that goal.
Additionally, if allowed, they make these judgments based on their own perception of risks, judgments which can be misaligned with reality. Employees then make cost-benefit computations on their own terms without having all of the facts or authority to assume the risk. As a result, employees may do the wrong thing from an information security standpoint in an attempt to do the right thing from a business and personal standpoint.
Understanding human behavior is critical to maximizing the efficiency and effectiveness of enterprise information protection tools and strategies. This approach will also appeal to both well-meaning users' emotions and their intellect, where you can align security trade-offs, achieving a more favorable security posture for both the organization and its users.
Sign up for CIO Asia eNewsletters.