February 4, 2019
At the end of last week, we published “Finding the Disconnect: Security Perceptions and Behaviors of Today’s Enterprise Employees.” This YouGov-conducted survey is another needed reminder of why it is critical to address the insider threat, especially the negligent variety.
The survey revealed many findings. First, the good: enterprise employees are increasingly aware of steps they can take to reduce risk. The bad: few practice recommended procedures. The ugly: many don’t feel as if security is their responsibility.
According to the survey:
- 47% of employees believe that cyber and data security are someone else’s responsibility
- 85% of employees say it’s important to update anti-virus software regularly, only 37% confirmed doing so within a 60-day period
- 83% of employees say it’s important to shred confidential documents after use, only 41% confirmed doing so
- 75% of employees say it’s important to use an encrypted file system, only 16% confirmed doing so
- 71% say it’s important to change account passwords, only 42% confirmed doing so
- 70% percent say it’s important to report suspicious behaviors, only 4% confirmed doing so
- 69% say it’s important to use two-factor authentication, only 30 percent confirmed doing so
- 68% say it’s important to move files to secure servers, only 14% confirmed doing so
Critical Infrastructure and the Insider Threat
U.S. Energy Firm Fined $10 Million for Security Failures, by Eduard Kovaks, SecurityWeek. According to Eduard:
A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.
The redacted report issued by NERC lists the identified violations, ranging from minimal to severe. All were discovered during CIP Compliance Audits and self-reports conducted and submitted between 2015 and 2018. The breadth of the report and settlement suggests that violations have been identified, mitigated and-or are in the process of being fixed. While the level of risk identified was definitely the result many issues, it is worth pointing out that several dealt with personnel. NERC found that the energy provider needed to address issues of training and others that lead to insider negligence, something that Dtex helps critical infrastructure providers address daily.
Read the NERC report: NERC Full Notice of Penalty regarding … REDACTED … FERC Docket No. NP19-_-000
CYBERSECURITY RISKS IN INDUSTRIAL WATER FACILITIES, by Chris Grove, Water Technology. Several months ago, the Inspector General of the US Bureau of Reclamation issued a report detailing how several US dams are at risk of insider threats. It seems that the news is making its way across the sector and becoming the subject of focus. According to Grove:
At the recent ISA Water/Wastewater symposium, one common issue emerged about the security threats to water facilities. Cyberattacks are not the top concern — it’s insider threats that are keeping people up at night. Although cyberattacks are widely publicized, insider threats are far more common in industrial environments.
Both of these examples reveal the critical importance of having controls in place for detecting insider threats of the three most common types: negligent, compromised and malicious. They also reveal that the critical infrastructure sector is taking the threat more seriously. You can read more about how Dtex helps critical infrastructure providers at: DTEX: SECURITY & PROTECTION FOR ELECTRIC UTILITIES
Although not insider threat specific, there are several news items of late worth mentioning: