Insider threats: 10 questions CFOs need to ask - by J2's John Mc Loughlin
CFOs need to actively manage IT risk, says John Mc Loughlin, Managing Director of software company J2: “It is vital that the CFO take an active role in managing this risk – as it appears IT may not have the executive drive to get it done themselves.” In this article, John shares some of the top questions CFOs must ask themselves when dealing with risk management and threats, and before declaring their IT policy as sound.
"I am continually amazed at how many companies talk about their comfort with their information security, risk and compliance positions. They are happy to tell us about their advanced security programs and yet still leave such a massive hole by ignoring the Insider Threat. Our own recent research, where we analysed over 46 Million Window, File and Application activities along with over 197,000 USB device insertions, showed that at least one in 40 users in your offices mishandle sensitive and confidential information on a regular basis; despite well worded policies."
"Perhaps it is time for the executive teams to call out the CIO (or CISO) or IT Manager and make them answer a few small questions with potentially massive financial and reputational implications. Let them explain to you why there is no Insider Threat program within the organisation and let us all move beyond the idea that information security is DLP, Firewalls and Anti-Virus."
"Firewalls and Anti-Virus have their place - but without user end point visibility - this means very little. I point to a recent breach where a Czech T-Mobile employee stole 1.5 Million of their customers' data in order to sell it for profit, as reported here. In their official statement they refused to provide any "additional specific information" about what was leaked as it is still under investigation. A company that large - with a large IT security spend? I have to ask myself: how did this happen? I believe that there can only be one answer: The Insider Threat was not a priority."
"My opinion is backed up by a quote from their official statement from the T-Mobile Czech Republic Managing Director: ' . This is a case of a failure of an individual and not a system or procedural failure.' No kidding - this is exactly what I have always said; you may have beautifully worded policies and procedures, you may have all the rules and documentation, yet, unsurprisingly businesses are losing sensitive data by the millions The Insider Risk is REAL and you have no visibility."
"That same statement from the Managing Director goes on to say, 'The only risk to which our customers could theoretically be exposed is that they might potentially be approached with unsolicited marketing offers.' The only risk . It is time to get serious. Leaked information allows for targeted threats against individuals and organisations. The more detailed the information, the easier it is to use it for criminal gain. Identify theft, phishing attacks and external compromise via a trusted internal user. Let us also think of statutory fines which will be a reality in the near future."
"Are you comfortable with that risk? A risk with very big financial implications for an organisation and associated individuals. Personally I am not!"
"The next question for your enquiring mind - what does this have to do with me, this happened in the Czech Republic? We are fooling ourselves if we do not think this is happening here every day. The only difference is that our businesses are not legally required to disclose any breaches publicly. Not yet anyway, this will change with POPI regulator being announced and signed in shortly. Why do we get calls on our private mobile phones with offers to better our insurance premiums or for a new device than we are currently using? We get calls to reduce our printing costs from a competitor business who knows what printers you have now, the period you have them and your individual costs. Do you honestly think this is not happening to your sensitive data, right now?"
"If I were you, with an eye on financial risk, I would make 100% certain that an Insider Threat program exists within the business. If not, then this should be addressed immediately. This needs to be managed and reported on with and take into account specific risks which are relevant to your business. This needs to align with where your business is on their Information Security maturity path and give you instant insight into what is really happening within."
10 simple questions to ask:
- Can you give me a list of all users who plugged in an external storage device on their machine, whether hard drive, flash drive or phone?
- Can you give me a list of all files which were copied to any of these devices in the last 48 hours, whether on the corporate network or off it?
- How many of these went on to encrypted drives vs. unencrypted drives?
- Can you list all users who have accessed or used Cloud file sharing services in the last 7 days, specific reference to consumer services such as Dropbox, OneDrive, Google Drive, Box.com, Filegooi, Wetransfer, etc?
- Can you tell me what files were synced, moved or copied into these Cloud services?
- What files were moved, copied or renamed from high risk folders in the last 24 hours?
- Which users have loaded any new piece of software onto their machine in the last 3 days, whether on the network or at home?
- What is the name of the applications?
- Is this part of the corporate list of approved software?
- What is this application to be used for?
"I believe it is vital that the CFO take an active role in managing this risk - as it appears IT may not have the executive drive to get it done themselves."