What can airport security teach us about dealing with insider threats?
Quite a bit, actually. As a starting point, let’s compare two approaches to airport security – the US approach and the Israeli approach.
The US approach assumes each person seeking to board an airplane has an equal likelihood of being a security risk.
The Israeli approach is very different. It combines profiling with more targeted examination of travelers behavior, body language, and other indicators to determine which travelers require a closer look.
There are reasons why the Israeli approach is right for Israel, and why it might not translate to the US. Profiling is right up there at the top. But there is no denying that the Israeli approach works. (For the record, as maddening as the sock hop through the security line to the machine that removes any doubt about what’s under your clothes is, the TSA agents are working hard to keep us safe and doing the dictionary definition of a thankless job. After all, it’s not their fault we have to take off our shoes).
How does this relate to insider threats? Do we want to assume that everyone working with us has an equal likelihood of being a security risk, just because they have rights and permissions to sensitive data and systems? Of course not. We are talking about our employees, our co-workers, and often our friends. Treating everyone like a potential problem not only makes for really tense holiday parties and happy hours, it simply isn’t necessary.
We could, however, put systems and policies in place to examine behaviors, and look for indicators that some employees may require a closer look. And we could look at history to tell us whether certain conditions might dictate paying closer attention to some specific groups of employees.
A recent survey by Symantec showed that 50% of employees who left, or lost, their jobs in the 12 months prior to the survey took confidential information with them.
If you knew that in every group of 10 friends your son or daughter brought over to the house, five were going to take something with them when they left, you’d either tell your beloved offspring “no more making friends” or you’d keep a much closer eye on things. Well, at the office, we aren’t about to say “no more employees.” So it seems reasonable to me to do a couple of common sense things when dealing with departing employees:
• Remind them about any agreements they signed promising to protect company information and to not disclose.
• Ask them to think about any corporate data or other Itellectual Property (IP) they might have on personal devices or in BYOC products like Dropbox, and to return / destroy it.
• Keep an eye on what they are accessing, downloading, and interacting with – 40% of those surveyed said they would use the information they took with them at their next job.
It’s company IP. Protect it. A best practice is to employ user activity monitoring on departing employees. The amount of corporate property leaving with them is simply too great, and too important, not to.