Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

Government: Fighting Security Threats from Within

By Todd Wasserman

The term "internal security threat" in government conjures visions of malevolent employees sabotaging workstations for political purposes or out of spite, but in reality it's poorly trained employees who are more of a threat.

"I'd say 80% of the time the risk is from non-malicious employees," says Tom Jarrett, CIO for the state of Delaware. Jarrett offered this example: "I don't train you, and then you inadvertently do something that opens up files that shouldn't be made public."

While no one yet has offered a definitive monetary figure for all the harm reaped by internal security threats in government, many say it has increased of late.

According to the Journal of Computer Mediated Communication, there were fewer than 50 reported incidents of compromised records for state IT systems in 2004, but that number spiked roughly five-fold within the next two years. It's not only municipal IT systems that are at risk; state and local government IT operations reflect trends that are also prevalent in the private sector.

Khalid Kark, a senior analyst with Forrester Research, says that many private firms are including the potential costs of such threats into their IT budgets.

"This is a significant," Kark says. "I was talking to one investment banker who said his bank is having 100 incidents like this a quarter."

The rise of internal security threats
Analysts who track internal security threats in the private and public sectors attribute several common factors to its rise in recent years, including:

  • The increased use of contractors, who have no loyalty or vested interest in the government agency or firm for which they are hired.
  • Larger and larger networks, which offer more potential weak points to exploit.
  • Pervasive computing. BlackBerrys, iPods, and even cell phones are now capable of making off with relatively large amounts of data.

Nevertheless, it's usually the external threats like viruses and worms that get the press attention.

"It's one of those threats that tends to be overlooked," says Mary Gay Whitmer, a spokeswoman for National Association of State Chief Information Officers (NASCIO) in Lexington, Ky. In April, NASCIO even issued a press release urging such IT professionals to "Take action now!"

Government CIOs can take action
What type of action can government CIOs take? NASCIO offers several suggestions, including:

  • Trust, but verify A more accurate way to put this might be "trust, but don't trust." The organization suggests that CIOs diligently monitor employees by auditing email and Internet use, both of which can potentially uncover warning signs of questionable behavior. Concordant with this is to make a regular practice of executing background checks on all current and future employees. This also applies to contractors.
  • Make an example of those caught NASCIO suggests acting swiftly to expel and even prosecute employees who have sabotaged the system from within.
  • Include training in ethics along with general IT training The organization says such training "could serve as a reminder of the importance of integrity and the level of responsibility that accompanies IT access privileges."
  • Consider creating a Chief Information Security Office (CISO) position A full-time CISO is charged with monitoring all threats -- internal and external -- and can be an important buffer to protect IT departments from sabotage.
  • Close off universal serial bus (USB) ports The most direct way to thwart potential data thefts via iPods and other portable devices is to use configuration management to close such routes of entry. NASCIO also suggests issuing employees mobile devices that can be monitored and periodically audited.
  • Encrypt data This is another way to head off potential mobile device data thefts. Once encrypted, sensitive information is, in theory, extremely difficult to access.

In addition, Kark says IT departments should make sure they have processes in place to avoid data breaches. For example, "We tend to say you shouldn't give your password out to anybody," he says, "but then someone calls from your IT desk and asks for your password, what do you do?"

Still, when the main source of internal data breaches is untrained employees, many argue that training is the best weapon. As the state of Delaware's Jarrett notes, technical fixes only go so far.

"We spent a lot of time doing an effective job of closing our perimeter, but you can't stop everything," he says. "Anybody who thinks they've found a tool that 100% protects them is living in a dream world."

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently editor of Brandweek magazine.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"It's one of those threats that tends to be overlooked."

--Mary Gay Whitmer, a spokeswoman for the National Association of State Chief Information Officers (NASCIO)
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Cyberthieves Turning to More Invasive Approaches
Playtime: 8 min 53 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.