While you might consider a threat to be a threat, and that a hacker who gets through the perimeter is effectively an insider, nevertheless it is clear that security officers working at the coalface consider the insider threat to be separate, severe and growing. The insider is a member of your own staff; and the threat he brings can be through naive behavior or through malice. Naivety can lead to data loss, which can lead to brand damage and regulatory fines. Malice can cause damage to systems, internal strife, loss of reputation, or provide an entry point for outsiders.
Julian Jeffery, head of policy and corporate reporting - fraud & security at Telefónica, and James McKinlay, group IS security and audit manager with the Manchester Airport Group discussed the insider threat at Infosecurity Europe 2012: and both take it very seriously. The key is staff vetting: it is better to find unacceptable staff before you employ them. "We have a robust joining process," explained Jeffery. The vetting is limited to the role concerned, which means that role changes in employment may mean further checks in the future.
Getting the right people in the first place is vital. Improvements in traditional security, he added, make it harder for the outside hacker to gain access. Hackers are turning to the insider to provide the route in. This can be through spear phishing and social engineering. However, with one company part of the national infrastructure and the other an archetypal terrorist target, both Jeffery and McKinlay were aware of the potential danger of 'sleepers': a criminal/terrorist infiltrating the organization as a legitimate member of staff.
The key to tackling the insider threat is fourfold: initial and continuous vetting; a strong and enforced security policy (including a policy to handle staff use of social networking); continuous education; and especially an efficient and rapid deprovisioning capability. This last applies to both internal staff movements and particularly firings and redundancies. The last thing an organization needs is an unhappy ex-employee with access to sensitive company data.