NASCIO: Employees are biggest IT threat

State government chief information officers need to focus on information security threats within organizations as well as those coming from outside the firewall. That’s the view of a National Association of State CIOs brief released today. The report details five insider threats that “warrant effective CIO action.” Those are:To address the insider problem, the report advocates a cooperative approach that involves the state’s executive management and human resources departments and the CIO’s office. “We’ve always had the focus on the perimeter, but everyone is beginning to take a strong focus on what is inside now,” said Tom Jarrett, Delaware’s CIO and co-chairman of NASCIO’s Security and Privacy Committee. “We’re beginning to do a lot of work to get people to understand that they have to be as cautious, if not more cautious, about issues inside the perimeter than they do outside the perimeter.” The NASCIO report cites two prominent types of malicious insiders: information technology experts with the access and ability to crack systems and disgruntled employees who might be tempted to steal data. NASCIO suggests auditing employee access to IT systems as one way to deal with the problem. In the case of disgruntled employees, the report recommends “cutting off access privileges before an employee is terminated or immediately after an employee resigns.” The report suggests, however, that lackadaisical insiders are more of a threat than those who aim to do harm. Security breaches, the report states, “tend to stem from a general lack of attention to standard business processes rather than from a malicious intent to cause harm.” Security education and training address this problem, according to NASCIO. Educating employees on phishing schemes and social engineering can help secure IT, the report states. Jarrett said all employees, not just those in IT, need for training. He noted that people may be appointed to IT jobs but may not have the right skill sets for them. Delaware last year required all network administrators in the state to go through a training and testing regimen that included IT security. Another insider group, IT and non-IT contractors, routinely access a state’s IT resources, according to the report. NASCIO points to building IT security provisions into contracts as a step states may take to protect themselves. Those provisions would require contractors to adhere to the state’s security policies. “To ensure that IT security policies and procedures are legally binding, all contracts for services, whether IT-related or not, should include boilerplate language to ensure contractor compliance,” the report notes. But putting a security policy in place for employees and contractors is not enough, according to the NASCIO brief. States must also verify that those governed by the policy actually follow it, according to the report. It recommends IT security audits and employee training. The pervasive nature of technology provides still another challenge to state CIOs, according to the report. To address this threat, the report recommends that security become “a component in evaluating new technologies, developing new applications and deploying new IT systems and technologies.” In addition, the report holds that encryption may be a viable option for mobile devices – laptop computers and personal digital assistants, for example – that store or transmit sensitive data. Overall, the objective of the insider threat brief is to raise awareness and highlight what NASCIO believes are the most significant threats, said Mary Gay Whitmer, senior issues coordinator at NASCIO. Whitmer said the insider security threat topic came up at a NASCIO Executive Committee meeting last fall. The new report is the product of NASCIO’s Security and Privacy Committee. Jarrett heads that committee with by Brenda Decker, Nebraska’s CIO.