For August, the NoticeBored security awareness spotlight turns towards the threat from within the organization, insiders.
“Insider threats” may be a common term but it's technically incorrect. “Insider risks” is more accurate since there is more to this than just the threats posed by insiders. The NoticeBored materials explore the vulnerabilities and impacts too.
“Insiders” in this context are primarily employees - both staff and management - of the organization, those on its payroll. “Outsiders”, then, are third-party employees (particularly those working for competitors or other adversaries) and unemployed people – a much larger group of course. In the government/military context, ‘foreigners’ (citizens of other nations and cultures, regardless of where they live) are generally considered outsiders too: we’ll have more to say about outsider threats in September’s awareness materials.
Both August and September's modules cover the overlap between insiders and outsiders - the no-mans-land inhabited by contractors, temps, interns etc. plus assorted consultants, professional advisers and maintenance engineers who have 'gone native'. They pose threats too, with divided loyalties facing a hail of bullets from all sides.
Ignore them at your peril. Recall that Ed Snowden was a defense contractor working in a privileged position within the NSA. Insider or outside is a moot point: the damage was immense. The risk is obvious ... once you think about it.
August’s awareness module is designed to:
- Introduce insider threats, providing general context and background information (e.g. who are those threatening insiders, and in what sense do they threaten?);
- Expand on the information risks (threats, vulnerabilities and impacts) arising from and involving insiders, particularly for the management and professional audiences;
- Describe and promote the corresponding information security controls, which are numerous and varied (policies, procedures, practices, technologies …);
- Leave everyone with the lasting impression that insider threats are real, antisocial and unacceptable.
So what about your awareness and learning objectives in relation to insider threats, or information risks involving workers. Are there any business angles or concerns you’d like to emphasize in your awareness program? Any insider issues your organization has resolved, or for that matter is still struggling to address?
Oh, hang on a moment, does “insider threats” feature as a topic in your awareness and training schedule? Do you even have a schedule, a rolling sequence of hot topics delivered continuously throughout the year? Oh. OK then.