Shining A "Spotlight" On: Insider Threats
October 21, 2013
According to Jim Terwilliger, technical manager of cyber defense planning for Federal Reserve National IT Services, and an affiliate of the Advanced Cyber Security Center, a New England-based nonprofit that addresses advanced threats, most inside risk is of the unintentional variety. And that means training needs to be part of the solution.
Many employees simply don’t understand that they have a security role. “They may feel that they will be forced to comply with onerous procedures, or that if they do a few things, the security people will take care of the rest,” says Terwilliger. “That can be coupled with laziness on the part of system administrators who fail to follow the best practices of user-access or don’t require complex passwords along with periodic password changes.”
As a consequence, security awareness training is crucial, says Bill Guenther, chairman of the Advanced Cyber Security Center. “It has to be comprehensive and continuous, and you have to test it,” he says. “You can’t just show everyone a video and then move on. You need to talk about everyday things, like losing a phone or laptop, and people must learn to report suspicious things, like an application that isn’t operating normally.” And, if an employee clicks on an inappropriate link, they should be provided with remedial training, he adds.
Mandatory policies relating to vacations should also be implemented, he says. If a worker is on vacation, they should not be logging into the enterprise network, and if they are, that should raise a red flag.