Employees inside public and private organizations may be the biggest cybersecurity threat those organizations face when it comes to defending against cyberthreats, cybersecurity experts from both the public and private sector agreed.
At The Cambridge Cyber Summit in Cambridge, Massachusetts, on Wednesday, the issue of so-called insider threat was in the spotlight following a New York Times report that the FBI had in recent weeks arrested a National Security Agency contractor the agency suspects of stealing and sharing highly classified information.
On an interview on CNBC’s “Power Lunch,” Assistant Attorney General for National Security John Carlin confirmed that the FBI had arrested and charged the individual with theft of government secrets, including classified information, on August 29.
“The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company’s walls, but you forget sometimes to have a program where you are watching those who you trust,” said Carlin.
It is one of the most serious threats a company can face, he said. “We take that type of conduct very seriously,” he said.
Other cybersecurity experts on stage at the event agreed.
Though protecting devices and servers will always be important, organizations should not overlook the importance of protecting against people, said Tom Fanning, president and CEO of energy firm The Southern Company.
“What do you do about people?” he said. “That is a real challenge here.”
Part of the answer lies in education, as well as tightly controlling what level of access each employee is granted, particularly when it comes to a company’s “crown jewels,” said Fanning.
And always assume the worst. When it comes to cybersecurity, paranoia pays. Employees may deliberately steal from an organization or they may be the victims of smart hackers who are able to trick them into clicking on something they should not, deploying malware into an internal system.
“You assume you have employees that are going to be exploited and you have to build your defenses with that in mind,” said Tom Leighton, founder and CEO of cybersecurity firm Akamai.