By Rui Feio and Mark Wilson
Security risk has in the past few years gained attention by organizations around the world regardless of size. Some, obviously, give it more importance than others, but all recognize that addressing security should be part of their risk strategy.
When we speak to clients about this subject, it becomes apparent that they believe their biggest risks are posed by external threats, hackers, who have malevolent intentions and are after rapid financial gains and a moment of fame.
When we broach the possibility of the insider threat, they recognize it and immediately understand that an intentional or accidental act could also be a major threat to their organization.
A 2018 report from CA/Broadcom about insider threat sheds some light and interesting facts about this risk:
- 90% of organizations feel vulnerable to insider threats
- 37% think the biggest cause is excessive number of users with privileged access
- 64% are shifting their focus on detecting insider threats
The same report also states that 53% of organizations have confirmed insider attacks in the past 12 months and 27% have said that this type of attack has become more frequent.
It is interesting to assert that weak passwords (56%) and password sharing (44%) are acknowledged by organizations as being in the list of biggest risks of an accidental insider threat. It is interesting because when performing security analysis exercises on the mainframe (security assessments or security penetration tests), we identify this as a recurring problem. In fact, the human factor is always the major security risk for organizations.
So, what should we do? Besides performing the basics from a human resources perspective (better working conditions, fewer working hours, bigger pay rises, more vacation days…), organizations should consider security risk as a whole (internal and external) and prepare themselves for the inevitable. Yes, it is not a matter of if, but more of a when, and how, the organization will suffer a security breach. The way organizations prepare for this situation and how they deal with it is paramount.
Security teams should always ask themselves whether an individual or a team really needs this access. Avoid allowing people to have access they don’t actually need to perform their jobs, even if it doesn’t seem to pose any threat to resources. Ask yourselves whether the ability to see things, display things, learn how the system is configured and setup should really be granted by default to everyone.
If you opt to deny access by default, you increase the chances of frustrating the vast majority of the attacks whether intentionally or by accident. Think about this the next time your team assesses security access.