Tag: trusted insider

Digital Rights Management Helps the FDIC Proactively Address Cyber SecurityThe Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information.  This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media.  According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.

I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information.  DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device.  It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information.  This applies to both internal and external users.

As a bit of background, Lawrence Gross, Chief Information Officer and Chief Privacy Officer of the FDIC, recently spoke to a congressional subcommittee on its program to identify, analyze, report, and remediate security incidents.  The criteria used to determine the severity of an incident is based on the risk of harm it poses to individuals or entities supervised by the FDIC.  The agency uses guidelines from the Office of Management and Budget (OMB), which recently changed its definition of what is a major incident.

As a result the FDIC upgraded the incidents where departing employees inadvertently downloaded personally identifiable information (PII) to thumb drives and other portable media.  The CIO’s initial judgment was these were inadvertent and posed minimal risk.  The new guidelines changed that, hence the reevaluation.

As part of its remediation efforts, the FDIC is conducting an end-to-end assessment of the FDIC IT Security and Privacy Programs in addition to implementing the Digital Rights Management software.  The agency will also eliminate the ability of employees or contractors to download to portable media, but there are cases when certain employees still need to do that as part of their job.  The CIO said the FDIC is working to identify and implement alternative means to securely exchange data with outside organizations, like state banking departments, by the end of 2016.

The CIO is planning to implement technology that also can help securely share information with external organizations.  DRM can protect information shared with third parties and provide the same level of protection the agency needs for its internal employees.  Rather than using two systems, the FDIC should leverage the same system for both purposes.

Implementing DRM also provides a proactive approach to data security, rather than reactive technologies that identify issues after they happened.  By protecting the data as its created, it helps mitigate the risks of data exfiltration that is becoming more common as both hackers and insider threats pose a risk to valuable information from government and the private sector.


Photo credit Josh Bancroft

Time to shift the security focus from the perimeter to insider threatsIt seems that information security professionals are beginning to focus more on insider threats according to a new report by Ari Kaplan Advisors sponsored by Nuix.  The survey shows that budgets have shifted toward internal security, rather than at the perimeter.  Unfortunately more professionals know how much they spend on perimeter security than on remediating incidents, which may not be a good trend, but attitudes are shifting.

Almost three-quarters (71%) of respondents reported they have an insider threat program or policy, and 14% said they allocate 40% or more of their budget to insider threats.  This is a positive trend as more organizations realize that the insider threat can be more damaging than external hackers, since trusted insiders have access to sensitive information as part of their daily jobs.

These are some highlights from the survey:

  • 71% of respondents reported having an insider threat program or policy
  • Although almost all respondents (93%) reported being able to identify their critical value data, only 69% said they knew what people did with the critical value data after they accessed it
  • 82% of respondents said their organizations had a bring-your-own-device (BYOD) policy, compared to 69% of respondents who had one in 2014
  • 93% of respondents claimed human behavior was the biggest threat to their organizations’ security, up from 88% in 2014

People were reported to be “almost universally” the biggest weakness in information security, ahead of technology and processes. Someone may be prompted to steal valuable data because they were passed over for a promotion or wanted to “get back” at some perceived slight.  Of the respondents that reported to have an insider threat program or policy, 70% offer employee training to minimize risk.  This is valuable, but a highly credentialed user with a grudge will still do something that may harm the company.

Because of high profile data breaches involving trusted insiders, more business and security leaders are focusing on insider threats and how best to mitigate the risk.  The nature of business today makes it easy to steal critical data.  If I have access to intellectual property or customer records, it’s easy to copy those files to a thumb drive and walk out the door.  In many cases this is a legitimate action, since I may need to work on the files at home or share them with a colleague or business partner.

The best way to address insider threats is by protecting critical data as a user creates it.  When a user creates a document, a security policy should automatically encrypt it and assign dynamic permission controls that control what the user can do with the information inside the document when it is opened.  This permission control should travel with the document, so if a trusted insider shares it with an unauthorized user, the document becomes useless.  The unauthorized user cannot read the content of the document.

Moving the focus from the perimeter to insiders is important to eliminate data breaches and mitigate the risk they can cause.  Targeting critical value data for this type of protection ensures that a company can maintain its intellectual property and its competitive edge in the market.


Photo credit Mathew G

Book a meeting