True story (or so I’m told): With Web mail accounts strictly prohibited by corporate policy and the ban enforced by filtering software, the potential customer assured technicians from Reconnex there would be no need to check for this particular security threat as part of the vendor’s free 48-hour e-Risk Rapid Assessment.
No harm in checking, the techs assured.
And, of course, they did find Web mail, the first of which bragged: “Hey, I finally figured out a way to get around this ban on Web mail.”
Author Dan Verton, a former Computerworld reporter, has collected buckets full of such tales — many of them far more serious, some downright criminal — in his new book entitled The Insider: A True Story. While every IT professional already knows that security threats from within are often most dangerous, the book shines a spotlight directly on the depth of the problem.
There are examples and anecdotes aplenty plucked from today’s headlines and recent history — who knew that the cosmetics industry was so cutthroat? But the book’s most telling tales are gleaned from the first 50 of those risk assessments conducted by Reconnex, a start-up headed by veteran entrepreneur Don Massaro.
“This is real live information taken from large companies and agencies, and in some cases where the person who’s doing the criminal activity has not been caught,” says Verton.
A pretty picture it isn’t, either for the IT executives learning the unvarnished truth or the wayward employees caught red-handed abusing company networks and ignoring policies.
One major advantage of the Reconnex reports is that the information is provided in a format that’s easily digestible by not only IT executives but also business managers, according to Verton.
“You don’t have to be an IT security expert; it’s not bits and bytes,” he says. “Managers can do the live forensics on this data and you can see the e-mails, you can see the content of Web postings, you can see the content of FTP traffic, of instant messages, of attachments of all kinds, including encrypted attachments.”
Near the end of our chat, I asked Verton whether any of the 50 risk assessment reports he read painted a picture of an organization fully in control of its insider threat vulnerabilities.
There’s no risk in letting me know what you think. The address is firstname.lastname@example.org.