Link to our YouTube channel video: https://youtu.be/yF0_BdNjsDQ
Watch another segment from our “sit down” with Brian Hay. This one is about insider threats to privacy and security
Sadly, insider threats too often become actual incidents!
In this segment, Brian and @JohnDimitropoulos argue the need to build a culture and implement technology that helps mitigate these incidents. They spoke about the recent case of a government employee who allegedly used their credentials to access private information of a citizen. The information was supplied illegally to a group of alleged kidnappers who proceeded with the crime.
Brian stresses the importance of building an organizational culture around security to mitigate the risk of your own employees doing the wrong thing. Brian also discusses the role of technology in preventing and detecting insider threats, such as behavioural analysis, micro segmentation, privileged access management and identity management. It is important to focus on the psychological profile of corrupt or malicious insiders and the factors that motivate them.
Let’s remember what @Ms. Nerida O’Loughlin rightly quoted last year “when customers entrust their personal information to their [telecommunications] provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved.” This was profound wisdom, which of course applies to all enterprises, state governments and the federal government.
Full Transcript:
John Dimitropoulos:
I’m going to move on to something else now. I’m going to play a little video here about something that happened recently, so just be with us for a few seconds while that video runs.
Audio from News Report:
The Service NSW employee from _____ is accused of supplying an address to the gang who kidnapped _____ from his home last month. The 26-year-old held hostage for six days at _____, his captors removing his teeth as they demanded drugs and money from a wealthy associate. Detectives alleged _____ used her work computer to search an address for crypto trader _____ leading the kidnappers to this property on ______. ______No longer works for Service NSW and will remain in custody tonight before facing a Sydney court tomorrow.
John Dimitropoulos:
Okay, so you know we just watched a video here about what happened here in New South Wales with Service New South Wales. This is a different topic, very very related to security. So this is around insider threats. So this is about people. It involves malicious and intentional attacks but also errors. Someone by accident might leave credentials exposed and that could create a vulnerability. But in this particular case that we saw in the video, this was intentional whereby the insider threat is real. In your opinion, how should an organisation or a government should mitigate the risks of a human element for insider threats?
Brian Hay:
My first response to that is building an organizational culture around cyber security and cyber safety so that people, if they see a colleague doing the wrong thing, they will correct them for it. It’s about delivering what those expectations are. Culture is paramount. Look, I went through the, as a junior officer during the Fitzgerald inquiry where we had corruption in Queensland Police and, you know, culture was, the poor culture prior to Fitzgerald was a reflection of the troubles we had. People didn’t care or had grown a subculture of doing the wrong thing and with impunity and think they could get away with everything. Culture reflects behaviour, behaviour reflects culture. I think building an organizational culture where people will not allow their colleagues to slip is critical in this space. And it could be something about as simple as sharing passwords or putting a password on a poster note on the monitor. It could be leaving your computer on when you get up and walk away. The other side of the equation is to support that. Is there are some pretty good technologies around now that look at behavioural analysis of the users. Another area they could look at from a technology perspective is micro segmentation. So only giving people access to the information they need to perform their job. Too easy it’s about let’s hook up everyone that you get full-blown access and begs the question why. So privilege access management and identity management are key to those issues as well. But foremost for me is organizational culture. I did a lot of investigation. I was an investigator during the Fitzgerald Inquirer. I was an investigator during the Carter corruption in investigations into drugs and corruption. I think I said corruption three times there I apologize. And what we found if you look at the psychology of people that were officers that were corrupt it came back generally speaking, they had a… they would tend to be highly independent and very intelligent had sometimes a lot of charisma. They had a feeling the job owed them something. Morale wasn’t particularly high. They wanted to be completely self-autonomous, and I often had a gambling or lifestyle addiction that there couldn’t be sustained with their annual wage. And so that again comes back to culture and if I said to you we go into organizations we do cultural diagnostics and we look at behaviours, perceptions, attitudes and this sort of stuff. And some organizations here’s a question for everyone to ask themselves. If you saw a colleague not committing a major breach of policy but not abiding by policy strictly speaking, would you correct them on it? Now the truth is a lot of people would say no that’s not my job that’s you know that’s okay but what you’ve just done is basically give tacit consent to increasing the bar of tolerance to breach policy. And so, one thing about human nature is the more you increase that bar of tolerance just get you know just think about your own kids if you let me get away with something they’ll push it and that’s human nature. So again, it comes back to culture.
