CDSA

How to Combat the ‘Accidental Insider’ in Your Organization

Contending with outside security threats to your organization is challenging, but dealing with the “accidental insider” — an attacker not necessarily motivated to attack the company intentionally, but somebody who unwittingly does so via some silly action or inaction — poses its own set of unique challenges, according to Ted Harrington, executive partner at Independent Security Evaluators (ISE).

“We are all attackers,” he said July 25 during a session called “The Accidental Insider” at the Content Protection Summit East event, part of the Media & Entertainment (M&E) Day at the Microsoft Conference Center.

He conceded that’s a “provocative idea.” After all, everybody there worked in the industry and were “literally at a content security conference,” he noted. But “we all are potentially the accidental insider” who ends up attacking his or her own organization unintentionally by “doing something stupid,” he said, adding: “This happens all the time.”

That unwise move by an employee could be something as simple and seemingly harmless as clicking a bad online link or inserting a USB thumb drive into a computer.

Harrington pointed to an email he recently received that appeared to be from somebody from an organization he trusted and supposedly contained something harmless enough: a purchase order. Although it didn’t seem unusual, as a paranoid security expert, he had the email checked out by his company’s team just to be sure before clicking on it. “Lo and behold, this email was an incredibly well-designed spear fishing campaign and there was nothing but malware on the other side,” he said, adding: “I was one click away from being the accidental insider.”

Company leaders are very concerned about such attacks, which are “very difficult to defend against,” he said. But he noted: “There’s a misunderstanding about exactly what it is.” First, it’s important to understand what conditions make somebody an insider threat, and there’s usually two of them: elevated levels of trust and elevated access, he said.

Technical defenses include encryption and multi-factor authentication (MFA), which can minimize damage if the accidental insider does something stupid, Harrington pointed out. Psychological defenses, meanwhile, include things like security training and enculturation, which helps otherwise smart people make safe choices.

But these defenses will not work against all attacker types. For example, no amount of training may be effective against a “determined malicious insider,” Harrington said. He defined these types as people who actually join a company just to harm it. He pointed as an example to a Chinese national who got a job working for a government contractor to serve NASA and for more than 20 years was “siphoning top-secret and sensitive information back to the Chinese government about everything from our Space Shuttle program to the B-2 bomber,” he said.

The 2019 M&E Day, which also included Smart Content Summit East conference tracks, was produced by the Media & Entertainment Services Alliance (MESA), in association with the Content Delivery & Security Association (CDSA), the Hollywood IT Society (HITS) and the Smart Content Council, and was presented by Microsoft, with sponsorship by Akamai, BTI Studios, ISE, LiveTiles, MarkLogic, RSG Media, ThinkAnalytics, Amazon Web Services, the Entertainment ID Registry (EIDR), the Trusted Partner Network (TPN) and Richey May Technology Solutions.

Click here to download audio of the ISE presentation. Click here to download the slide deck.