Guest post by Neal A. Pollard and David Etue

Who's already inside your firewall? What information can they access now? What can they do with it that could hurt your organization? It's entirely possible that your intellectual property (IP) is open for all sorts of insiders to see. Organizations with rich IP lodes--think of software providers, precision manufacturers, defense contractors, entertainment organizations and pharmaceutical companies--are at greatest risk from insiders mishandling or stealing their intellectual property.

These days, many people are insiders. Many tend to think of just employees as insiders, but contractors, customers and suppliers have unprecedented access to our information, and their security credentials may give them free rein far outside their areas of authority. If the means, motive and opportunity are there for an insider to steal or corrupt your information, it just isn't enough to be good at keeping the "bad guys" out.

Ignorance is as bad as malice

The insider threat isn't a new problem, but technology makes it worse--when a mouse click can dispatch terabytes of information and sensitive IP is deliberately shared across business networks, the cyber threat is a strategic concern. Nor is it necessarily a problem of malice or premeditation: Carelessness and ignorance can be every bit as damaging, as seen when portable devices containing sensitive business or government information have been mislaid in public places, or when naive insiders fall victim to phishing scams that allow outsiders to take over their computing devices and the information they can access. 

Yet investments in cyber security are out of sync with the problem posed by insider threats. Organizations spend a fortune on authentication to try to screen out those whose credentials don't match their standards for information security. Authenticity is necessary, but it's insufficient. Organizations should also be investing significantly in reliability measures to assess the trustworthiness of the individuals and organizations that, once inside, have broad access to sensitive and often proprietary information.

A keystroke away from WikiLeaks?

WikiLeaks offers the perfect example of good authentication but bad reliability. The alleged leaker of US government diplomatic cables and other sensitive information, analyst Bradley Manning, was who he said he was, and had authenticated access. The "system failure" was about his reliability--not who he was, but what he was supposed to do, with which information, and toward what ends.

So what can executives do to address the insider threat? Four focal areas can make a difference:

Focus on reliability, not just authenticity. On the whole, today's approaches to IP protection and cybersecurity focus on authenticity--the exercise in which an individual or organization must verify their identity, and, by implication, their supposed trustworthiness. (Usually this is a one-time or very infrequent exercise.) But security credentials--granted when identity has been authenticated--say nothing about the individual's intent or awareness or about his or her reliability as a trustworthy and security-savvy partner. Nor does it deal with the fact that many insiders do not become malicious or careless until after they have become "trusted."

Focus on the information, not just the user. It's not enough to identify and get to know all insiders and to regularly gauge their reliability. It's necessary to determine how and when information can be accessed as opposed to just granting users permission to do so. It will help to apply multi-factor reliability tests--analogous to authentication that screens for "something the person knows, something he has, something he is." The factors don't need to be secret. They might assess ends, ways and means: What information is being used, by whom and in what roles? For which objectives?

Don't rely on technology. The insider threat is not a technology problem. The adversary knows that; they regularly exploit human weakness and stupidity. Yes, the IT department is the steward of the information, but only the IP's owners know its value, how it should be used, and the potential impact if it is lost or compromised. It takes more than the IT department to make sure assets are protected.

Reframe the concept of "inside." We're no longer talking solely about on-premises espionage. Today, the design for a transmission for an electric car is very likely shared with suppliers and other partners worldwide in a bid to spur innovation, reduce component costs and accelerate development times. IP may be compromised far upstream in the supply chain--indeed, at many points across a virtual network.

Executives are in denial if they think a data breach cannot negatively impact their organizations. If information can be used for economic, political or military gain, someone outside or inside the organization is likely trying to acquire it. In order to protect IP and better mitigate the insider threat, organizations must move beyond authentication, and embrace reliability measures. It is important that this is not just a technology initiative--it must integrate all the stakeholders who have roles in IP protection, including the owners of the information, legal, HR, and the executive suite--thus enabling the insider threat to be connected to the organization's risk management strategy. Ensuring this focus, along with appropriate investments in process, training and technology for resiliency, is the right approach to reducing the insider threat. 

The time to act is not when government or law enforcement calls to inform the organization that it has been compromised. The time is now.

Neal A. Pollard is a principal at PRTM Management Consulting, where he focuses on cybersecurity, homeland security, risk management, and intelligence solutions for government and corporate clients.

David Etue, manager at PRTM Management Consulting, brings experience including security program leadership, management consulting, product management, and technical implementation.

Related Articles:
How to recognize your insider threats
Lying IT pros and the lies they tell
White House unveils proposed cybersecurity legislation
IRS has cybersecurity material weakness, says GAO