All components of an organization have a role to play in helping prevent security breaches by employees whether by accident or with intent, according to Mike Crouse, director of insider threat strategies at Raytheon.
Crouse spoke to ExecutiveBiz to discuss the nature of the insider threat on the heels of the release of a company-commissioned report by the Ponemon Institute on how businesses determine who is a privileged user and potential abuses of that status.
Click here to read the full “Privileged User Abuse & The Insider Threat” report in its entirety.
The Institute surveyed 693 people with “in-depth knowledge of how their organizations are managing privileged users” and found that 51 percent of business unit managers hold primary responsibility for granting privileged user access, up from the 43-percent rate found in 2011.
Additionally, 36 percent of respondents said business unit managers are also responsible for conducting privileged user role certifications, an increase from 32 percent in 2011.
Crouse said the business unit manager “might be the person responsible for doing the actual revoking of privileges” even though the manager is sometimes not the person that owns the relevant data.
Data owners that Crouse defines as stakeholders can be workers in the human resources and information technology departments and those in the executive suite, such as CEOs and “inspector general-type people”
“You need to involve all of the people that have data that needs to be protected. And those are all your stakeholders that have to come to the table from day one,” Crouse said.
Crouse believes the key to getting all stakeholders involved as being able to outline the potential risks of data breaches to them, depending on which data they own and who owns it.
“I would actually go to them right off the bat and hypothetically bring up to them, and say the ‘what‑if?,'” he said. ‘”Here is the risk you have of not protecting the data you own. And here’s the ramifications if that data ever hits the street.'”
Part of that process of building up an organization’s posture against internal breaches, Crouse said, involves a business’ efforts to bolster the workforce through training programs that share knowledge of what to look out for.
Crouse also pointed to documentation as a means to make sure a business has the ability to “fall back on… compliance statements, policies that are being written, changes that are being made to your plan.”
Regardless of how a business decides to carry out a privileged user program, Crouse says continuous monitoring of employees must be one component of that initiative.
“It’s not a one‑time, fire it, forget, operation.”