How Insider Theat Is Born
The LA Times has a great article on the recent UCLA medical records breach. In the article, the woman accused of illegally accessing over 61 medical records, Lawanda Jackson, gives a reason for her snooping. What was the reasoning behind Lawanda Jackson’s actions? Was it a diabolical plot to destroy the place where Jackson has worked for over 30 years? Nope. Was Jackson just looking to score some quick cash selling dirt on celebrities? While claims have been made there is no proof of this (plus almost half of the records Jackson accessed did not belong to celebrities).
What possible reason could Jackson have had then if it wasn’t malicious intent?!? Simple, Jackson was prompted by nothing more then curiosity. According to statements made to the LA Times, Jackson would see a news story and wonder if the people involved came to the UCLA medical center. To quote Jackson from the story, “There was no intent to do anything bad.” Welcome to how insider threat is born.
Insiders are not always angry or disgruntled employees seeking to get even with their employer. Nor are insiders money-grabbing opportunists looking to make a quick buck at the expense of their employer. Instead, most insiders are individuals that generally enjoy what they do and where they do it. Above all, insiders are human.
Why does the fact that employees are human matter when it comes to insiders and the threat they pose to information security? It is important to always understand that your employees (ie insiders) are people and as such have all the failings of people. Some are lazy, some are manipulative, some are mean while others are nice. Above all, many are curious.
This curiosity can easily lead to security incidents if the organization does not take the necessary steps to restrict access. It is no longer enough for information security professionals to protect our organizations’ infrastructure from external attackers, we need to start thinking about how to protect our organizations’ data from unauthorized access or disclosure by our own employees.
Leave a comment