Your data is your business. And if you're not vigilant about your employees' access to that data, you're going to end up out of business. That's the advice of Patricia Titus, current CISO of Unisys and former CISO of the Transportation Security Administration.
Titus has first-hand knowledge of the insider threat in both the public and private sectors. We interviewed Titus about how she is managing this risk at Unisys through a combination of new technology and end-user education. Here are excerpts from our conversation.
Q: What trends are you seeing regarding the insider threat?
Titus: Probably the biggest problem is the consumerization of IT and the newer technologies which allow mobilization. While it increases efficiency, it also creates opportunity. As you start rolling out mobile applications, you want to get information into the right hands, but perhaps your access control isn't as good as it should be.
Q: Do CISOs and CIOs realize what a big threat insiders are versus outside hackers?
Titus: Actually, we do. We do recognize the issues with our employees and data access, and that access management is a big problem. It's a problem in the public sector, and it's a problem in the private sector. Probably we are more focused on it in the private sector because data loss can be so damaging. We are spending resources to protect against the insider threat because of the amount of intellectual property we have and how valuable that information is outside the country. Especially for systems integrators like Unisys, the opportunity for employees to walk out of the building with our intellectual property so they can use it on the next contractor is quite great. There's a lot of right-sizing and a lot of transition in companies. Humans are creatures of habit, and as you try to change organizations to be more efficient, employees are unhappy. They might have access to HR information, and somebody forgot to remove their access. Employees are looking at an opportunity and thinking [they] won't get caught. CISOs and CIOs recognize this threat and are implementing those technologies that will catch the nefarious actors.
Q: What technologies are CISOs deploying to address the insider threat?
Titus: One that we're getting ready to deploy is data-loss prevention technologies. The other is making sure that you are really looking at your access controls, to see who has access to what system and do they have the authority. That can be laborious, but it's critical. Lots of companies do an annual re-assessment of access control. We're finding out at Unisys that we're going to have to do it more frequently based on employee turnover. You need to make sure that you've got your applications tied to your Active Directory and make sure that your access is behind firewalls so that when you remove a person's domain, you remove their access to everything.