Editor’s Note: Excerpts of this post series were originally published by ACI-NA.
While cybersecurity threats can come from a variety of sources, it can be the insider threat that causes organizations and cybersecurity practitioners the most headaches. As the aviation industry grapples with cybersecurity, is it prepared to not only look at external threats but also the ever-present insider threat?
Within every organization, employees are provided some level of trust to perform their duties and responsibilities. The most obvious are the information technology staff who may have access to everything from financial data to airport security plans to email. But there are many other employees that also have access to systems and the infrastructure that supports those systems. The accounting staff have access to the accounts payable system. The public safety staff may have access to confidential credential information. The human resource staff has access to sensitive personnel information. Even the cleaning crew may have access to the areas where servers are located, system fiber enters the building, and back-up media are stored. Add to this, a variety of contractors embedded in your working environment and the potential for human caused vulnerabilities is very high.
Most organizations firmly believe that their own employees and contractors would never do anything purposefully to harm the airport organization. And, in most cases, that is absolutely true. However, the insider threat doesn’t always come as a result of a planned action with mischief or corrupt intent. Sometimes, it is just an employee making a mistake or taking a short-cut to get the job done more quickly or, more frequently, checking their social media accounts. Oftentimes, the threat doesn’t even involve an online activity. It could be an employee leaving their password on a sticky note on their monitor or providing internal information to someone who shouldn’t have that information.
The RAND Corporation defines an insider threat as “any authorized user who performs unauthorized actions that result in loss of control of computational assets.” The assets can be data, processing power, system availability, and equipment. The critical word in the definition is “authorized user.” If the perpetrator of an attack is not an authorized user, they are not an inside threat.
Over the years, this definition has been expanded by the National Cybersecurity and Communication Integration Center, an agency within the Department of Homeland Security, to include former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems. Even though they are no longer associated within the airport’s organization, that inside information they still possess can be quite harmful if it is used for malfeasance.
The motivation for an insider’s planned attack can be monetary gain, revenge on a supervisor or co-worker, anger at the organization, curiosity on confidential information, or simply to satisfy their ego that they can get away with an attack. Insider errors which result in a loss of computational assets can be from employees taking shortcuts, lack of knowledge, not following organizational policies and procedures, and simple carelessness.
By its very nature, security is inconvenient. The stricter the security requirement imposed the more inconvenient that they become. While many employees understand that there are external threats that must be thwarted, they are less focused on insider threats and find internal security measures a nuisance and something to be ignored.
In the next post in this series, we will talk about the specific steps that airports can take to develop a cybersecurity culture and help mitigate the insider threat.