Tuesday, March 6, 2007

It's the Crime, Not the Tool

Tim Wilson at Dark Reading on IT Security: The New Big Brother:

"To identify potential insider threats, IT must monitor end users' behavior by scanning email, tracking network activity, and even watching employees for "trigger" events that might cause disgruntlement. Right now, I'm working on a story about ways corporations might monitor their employees outside the workplace to determine whether their out-of-office conduct might cause data leaks."
This is how the TSA dealt with the "insider threat" (i.e., passengers) on airplanes. Like the TSA, Mr. Wilson's focus appears to be on the tools that commit the crime (box cutters, e-mail, 3 oz. containers of fluid, USB drives) rather than the crime itself. Schneier has harped on this non-stop since 9/11. The proposed regime of surveillance will result in myriad false positives and employees as happy as your average passenger who has to remove his shoes and toss his shampoo and nail clippers into the trash at the security checkpoint.

In addition, what qualifies your IT Security department to be skilled in identifying what is legitimate and what is suspicious? How many eyes does the CEO want looking at legitimate confidential traffic? This filtering and monitoring scheme seems to be increasing risk of exposure rather than decreasing it.

Part of the solution does not involve any IT at all. Supervisors supervise. Their job is to monitor the employee activities. Managers should insure this happens.

Another part is development of an ethical culture within the corporation, where people have a channel to report if someone is acting "hinky." Internal and external auditors and ethics officers play an important role in an ethical environment. All the monitoring software in the world couldn't have prevented Enron, but an internal auditor put a stop to it.

No comments: