It's not original to her, but several years ago Web eminence Esther Dyson said, "People behave differently when they know they're being observed." It creeped me out enough that I can still recall thinking, "She's absolutely right" -- and her comment reverberated anew last week as we shot our next video tutorial on mitigating the insider threat.
Video tutor Richard Stiennon offered up some smart technical and managerial fixes to detect and prevent theft and malfeasance from otherwise trusted insiders. Then he got around to the part about employee awareness training -- and I nearly tuned out, thinking he was going to remind IT security staff about the need for regular quarterly sessions that hammer home good technical hygiene and smart browsing etiquette.
Stiennon started down that path, then made a sharp, right turn.
"You are not educating insiders to change their behavior from bad to good," he said. "You are warning them not to change their behavior from good to bad."
Stiennon said security pros can accomplish this in two ways: First, republishing the enterprise's acceptable use and confidentiality policies, requiring everyone to acknowledge receipt. Second (and here's what triggered the Dyson recall), as part of network and traffic activity monitoring, issuing alerts to the insider every time they attempt to violate the policy -- maybe that's going to a gambling Website, using Skype, or visiting Facebook.
"Let them know you are watching them," Stiennon said, a bit sternly. "Just as cameras can prevent shoplifting, visible activity monitoring can prevent data theft."
I like this, because it turns repetitive exercises into constructive deterrence. But it doesn't work unless security professionals have managerial blessing to put users on notice; in other words, real teeth to give those scolding words of caution some bite. While I can imagine plenty of "false positives," I can also imagine there wouldn't be many repeat offenders. And this is exactly the sort of thing you can expect users to talk about over lunch (or email or IM). Viral deterrence, if you will.
Draconian? Fascist? Maybe... but enterprises and IT security were never intended to be democracies, or even benign dictatorships. Mess around with company equipment or company data, and pay a price.
Dyson and Stiennon may be too polite to say it, but it's time the gloves came off where end-user malfeasance is concerned. If this is a game, it's become an expensive one, and way too risky for most companies to play. Put end-users on notice and follow up as harshly as the situation merits.
— Terry Sweeney, Editor in Chief, Internet Evolution
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. Register here to join the Security Clan and for a chance at all kinds of free stuff.