Rank-and-file federal employees and contractors unwilling to “embrace ‘The Suck’ of security” may be the biggest threat posed to securing federal agency networks.
“Accidental or careless” insiders -- employees who click on dubious email attachments, plug in unsecured storage devices or leave laptops unsecured, among other lapses in basic cyber hygiene -- unwittingly open the door to hackers and other malicious actors.
In a new survey conducted by SolarWinds and Market Connections, 53 percent of IT decision-makers cited these unwitting insider threats as the biggest source of security threats they face. That’s up from the 42 percent who said so in a similar survey last year and higher than any other category of threat.
A focus on insiders intentionally breaching security protocols -- or worse -- has grown in recent years fueled by the WikiLeaks and Edward Snowden disclosures.
But the role played by the accidental insider threat remains less understood, even as the potential for destruction, in the eyes of IT managers, continues to grow.
About 64 percent of survey respondents said they view insider threats as just as damaging, if not more so, than malicious outsiders. Just considering insider threats, 57 percent of respondents said they considered accidental breaches caused by insiders to be at least as damaging as those caused by malicious insiders.
So what exactly are these inadvertent insider threats doing that puts their workplaces at risk?
About half of survey respondents cited phishing attacks as the top cause of accidental insider breaches. Another 44 percent cited data copied to insecure devices, while 37 percent pointed to employees using personal devices against in contravention of their agency’s IT policies and poor password management.
“Interestingly, we have positioned ourselves relatively strongly against external threats, but it is the accidental or malicious insider threat which has caused us more problems,” a respondent identified as a director of operations at the Defense Contract Management Agency is quoted as saying in the report accompanying the survey results.
Another respondent offered a more succinct summation of the problem.
“The people just need to get used to ‘The Suck’ of security,” a defense coordinating officer for the Army said. “It will take time to work in an environment which is designed to protect the organization and the individual.”
Federal employee are likely used to being bombarded with emails from their IT shops exhorting them not to open suspicious links.
Still, insider threats remain difficult to detect.
Forty percent of respondents cited the sheer volume of network activity, another 35 percent pointed to a lack of IT training and 35 percent cited the growing use of cloud services as reasons for the difficulty in pinpointing suspicious insider activity -- intentional or not.
The deployment of mobile devices in the workplace has also made securing against accidental insiders more difficult. Fifty-six percent of respondents cited the increased use of mobile technology as the biggest barrier to preventing well-intentioned but hapless insider threats.
IT managers also say their agencies aren’t necessarily ready to shell out more money to combat accidental insiders.
Spending on traditional cybersecurity measures, such as intrusion-detection and prevention systems, remains big bucks. Some 70 percent of respondents said their agencies had actually increased spending on fighting hackers and other outside cyber miscreants.
But less than half of respondents said their agencies had done the same for combating the insider threat.
The survey results probably aren’t all that earth-shattering for federal IT managers.
At a cybersecurity conference in Washington, D.C., last month, Jeff Wagner, security operations manager at the Office of Personnel Management, recounted once virtually monitoring a user who was “desperately trying” to open an email attachment flagged by the agency’s intrusion-prevention system as a phishing attempt.
The user eventually disconnected from the virtual-private network linking her computer to the agency’s cyber-defense measures, opened the link and promptly got infected.
"I will have a job until the end of time simply because I have users,” Wagner said.