Insiders on the outside

defending-against-insider-threat-landingPageImage-w-67Homeland Security Magazine has a very interesting case study on an insider threat case involving DirecTV.¬† In this case, the insider was a sort-of third order insider, as they worked for the document management contractor of DirecTV’s law firm.

A few lessons for us infosec professionals from this:

First:  The definition of insiders expands as businesses continue to outsource functions which used to be done in house.

Second: Vendor Risk Management programs need to pay special attention to law firms.¬† These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.

Third:  Trust no one.

Insiders on the outside

Malicious data leaks and corporate liability – a tale of two countries

UKWaterCrisis had a link to a very interesting article about corporate liability for an employee’s malicious leaking of employee information.¬† What was most striking to me was the contrast between cases in the UK and the US.

In the UK, a disgruntled employee leaked payroll data for 100,000 employees of a very large supermarket chain to newspapers in order to embarrass the firm after they were disciplined for bad behavior.¬† The courts found that employees have the right to sue the supermarket chain for damages as they were “vicariously responsible” for the acts of their employee.

In contrast, a similar case in the US against Coca Cola had a very different outcome.¬† A Coca Cola employee sold laptops which they were tasked with destroying and these laptops contained personal information of employees.¬† Employees sued, but the courts dismissed all of their claims, saying that Coca Cola could not have known about the rogue employee’s activities.

This case has a few lessons for infosec professionals:

First, if your firm operates in multiple jurisdictions, the laws and norms in these jurisdictions can be very different.  When judging risk and formulating policy, work with your legal departments to make sure you understand these differences.

Second, I feel that this case also shows the differences in attitudes to personal information in the US and the rest of the world.  It seems like the US does not value individual privacy nearly as much as other countries. Again, if you operate in multiple jurisdictions, you need to keep this in mind.

As the stakes get higher for organizations (for example $20M or 4% of global revenues for each breach of the EU GDPR), these are things we need to worry about.  Buy your general counsel a beer and talk it out before you have to deal with a lawsuit.

Malicious data leaks and corporate liability – a tale of two countries

Insider Threat Resources – 01-Feb-2018


I have the privilege as serving as a mentor for a course at SUNY-Albany focusing on the problems posed by insider threats.   Since I am SUCH a wonderful mentor, I will be keeping an eye out for interesting resources for the students.  Since these might also be useful to others, I will be a list of them blogging them each week.

Best Practices

Mitigating the Inside Threat: Boeing’s Successful Approach
Security Magazine – Feb 2018
Requires free registration to read (which seems to be busted right now – hope they fix this as it sounds like an interesting piece)

Updating our Knowledge of Insider Threats
Measuring Organizational Confidence in Addressing Insider Threats
Conference Board of Canada – Jan 2018

7 Insider Attacks Behavioral Analytics Detects
CSO Magazine 2018-01-31

Recent Insider Incidents

2017 US State of Cybercrime Highlights on Insider Threats
US Veterans’ Administration

Just Interesting

What the Count of Monte Cristo Teach can teach us about Cybersecurity
IEEE Spectrum – Jan 2018

Insider Threat Resources – 01-Feb-2018