Return of the Guru

Data Loss Often Due to People Who Just Don’t Care

Ara Trembly
Insurance Experts' Forum, May 18, 2011

I read with great interest a recent posting on CSO concerning what they called the “three types of insider threat” to organizations, enterprises and systems. With data and confidential information at the heart of the insurance enterprise, such threats must obviously be addressed.

The piece identifies these three types of workers as the “trusted unwitting insider,” the “trusted witting insider” and the “untrusted insider.” The first case is a person who, through some lapse in judgment, allows access to sensitive information (e.g., finding a thumb drive and plugging it into the company’s systems to see what it is), but certainly wouldn’t cause a problem purposely.

The “trusted witting insider” is a common thief—someone who purposely acts to steal information and probably sell it to the highest bidder, the article notes. The “untrusted insider” then, is someone who illegally gains access to the network via malware or other attack methods and gains privileges that can lead to havoc for the company whose systems are breached.

Certainly, all of these individuals present a danger to organizations like insurance companies that traffic in sensitive data, yet I would suggest there is another type of dangerous “insider” that is just as troublesome, and perhaps more difficult to detect. I would call this person the “trusted selfish insider.”

Like the “trusted unwitting insider,” the “trusted selfish insider” isn’t necessarily out to sell confidential information to a competitor or to the black market. On the other hand, the selfish employee really doesn’t care if information does happen to leak out due to some activity of his or hers. This individual has a strong set of priorities, and they begin and end with himself or herself.

For example, one of the most vulnerable places one can go in terms of security is any of the popular social networking sites. With half a billion people having Facebook accounts alone, this is obviously a significant problem, especially if one accesses such an account from inside a corporate network. The selfish employee may fully realize that Facebooking or Twittering from inside the corporate firewall is dangerous, but that is not a concern. All this employee really thinks about is telling everyone about the pearls of wisdom pouring forth from his or her allegedly superior brain every few minutes. If some hacker happens to jump in and become an “untrusted insider,” well that’s just too bad. The company should have safeguards to prevent that from happening.

The irony is that every company does have a safeguard to prevent this from happening. That safeguard is a set of policies for Internet access and a set of employees who respect and value their places of business enough to follow those policies. Many organizations lack a sensible policy, and that is a shame, but a correctable one. On the other hand, lots of social media acolytes are only too happy to try and bypass their companies’ policies in order to satisfy their insatiable lust for attention.

That problem is much harder to solve. If you are fortunate enough to be able to identify a “trusted selfish insider,” however, you would be wise to move such an individual into the “untrusted” category.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Digital Vision vs. Harsh Reality

Much work remains to reconcile insurers' digital vision with the digital reality that seems to be arriving for other industries.

Vendors Embrace Mobile Technology

IT leaders at software firms clearly recognize the importance of mobility to drive their businesses forward. Almost 70 percent see mobility as mission critical or important to their organization today.

Big Data Is Paying Off

Insurers are getting business benefit out of their big data projects, but these projects alone won't grow their business.

What Can Insurers Learn from Home Depot?

The latest cyber-attack highlights the importance of helping policy holders defend themselves.

Not Your Father’s Insurance Company

Carriers need to look at new and impactful ways to be there for their customers.

How to Attract Top Tech Talent

When it comes to rankings of the best places to work, insurers are few and far between. Here’s what those who make the lists do to appeal to IT professionals.