Monday, September 14, 2009


There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.
“Whether the threats are accidental or deliberate, the costs are still the same.”
I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)
“Malware and spyware attacks are another example of the risk of good employees doing bad things.”
I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.
Under “Key Findings”
"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'
So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

No comments: