Security planners are racing to close gaps across networks and ICT infrastructure. But they have overlooked a Trojan horse already inside the gate, Attorney-General, George Brandis has warned.
This Trojan horse is the trusted insider, an internal staff member with unprecedented access to intelligence as well as government and business information, Brandis warned delegates at a 'Government in Security' conference this week in Canberra.
He said that a trusted insider with unmonitored access to information can cause considerable damage because "they know how things work."
Brandis added that classified material that filled a suitcase is now stored on a microchip no larger than his thumbnail.
"The amount of classified information that we hold has grown exponentially,” he said.
A trusted insider can source sensitive information through networked computers and copy and transfer this with ease.
“That is why the two largest breaches of Western intelligence have occurred only recently,” he said.
The stakes are getting higher, as demonstrated by the high-profile Edward Snowden and Bradley Manning incidents involving US intelligence and government, he said.
“Bradley Manning copied thousands of classified documents while working as an intelligence analyst for the US Army. He leaked a quarter of a million diplomatic cables and half a million army reports to the website WikiLeaks.”
Know your staff
The common assumption is that sophisticated hacking or viruses are the biggest concerns, he said.
“These are threats but the reality is that the most likely source of a breach, whether accidental or deliberate, is not a hacker. It’s not a person that puts malware into the system. The most likely source of a breach is one of your own staff.”
To tackle insider risk, it is critical to continually vet and monitor staff’s suitability to access information, he said. “This should never be under-estimated.”
With staff vetting arrangements, “it’s not enough to simply ‘tick and flick’ an application every few years.”
He added that a trusted insider can only be thwarted by a robust security culture that is shared, observed and managed by everyone within an organisation.
Among the remedies, the Attorney-General’s Department is sharing a new handbook 'Managing the insider threat', which details how to understand the insider threat.
- Security incidents going unreported: CERT Australia
- How to Test the Security Savvy of Your Staff
- Victorian Auditor-General warns about poor ICT security