In smaller organizations—maybe less than 100 people or so—it’s quite common to hear “we know our people, we can trust them.” I like to ask the folks who are invested in trust as a security strategy a question: “Are all of your personnel files stored in a cardboard box in an unlocked room with a note on it that says “please only look at your own file?” If not, then why not? If you can trust your people, why would you bother to secure anything?
In larger organizations, there tends to be more specialized roles, so the folks charged with security are more apt to accept that the insider threat is real. Their challenge is convincing the executive suite to spend time and money on a problem that doesn’t always show as a problem because they aren’t specifically looking for it. It’s a chicken and egg thing—if you aren’t looking for insider threats, of course you don’t see them.
Leave a reply