This article was first published in the May 2016 issue of WIRED magazine. Be the first to read WIRED's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online. For more stories from WIRED's Security issue, click here.
Here are two statistics I mention to every C-suite executive or board director I meet: first, 93 per cent of the IT executives you hire to safeguard your organisation believe that "insider risk" is an increasingly serious issue. Second, only 3.6 per cent of IT budgets are focused on addressing it.
The malicious insider can appear in multiple forms and evolve over time, just as external threats do. For example, people who have otherwise good intentions sometimes face changes in their lives such as financial stress. They can also come from people with intent to do harm for personal gain or because of a grievance with the company.
Part of the reason executives don't want to talk about malicious internal threat is because they tend to think it won't happen in their organisation. They're also concerned with the message that knowledge of a malicious insider might send about their company, its screening practices, its basic security or its culture. But perhaps the principal reason malicious insider risk isn't widely discussed is that the problem is particularly difficult to address. How can a company defend itself against threat actors with legitimate access to its premises, its networks and data and, in some cases, its crown-jewel assets?
In 2016, the same kind of focused attention and resources that are already being applied to external threats will begin to be applied to insider risks. The rise of big-data analytics holds promise in this regard, as highly effective new tools are coming to market. Many leading companies are starting to proactively address insider risk by investing in risk-management technologies to identify, and in some cases prevent, these threats.
Just as businesses analyse big data to gain insight into customers' buying behaviour, combining an understanding of human behaviour with analysis of data from electronic communications has allowed companies to get in front of internal threats and take protective action.
All companies will need to approach insider risk and, further, speak openly about it. As we've seen with external threats, sharing information and experience will enhance everyone's ability to meet this challenge.
Edward Stroz is is chairman of Stroz Friedberg, a consulting firm with a focus on risk management
This article was originally published by WIRED UK
