I’ll sound a bit like Captain Obvious for bringing this up, but it’s important to remember that security encompasses a lot more than protecting sensitive data from the specter of outsider threats like hackers. Properly implemented security policies also account for threat-models that include insiders – or people within your organization.
For example, while you as a DBA or IT professional might take security seriously, there’s decent evidence to suggest that many end-users don’t really get the point of proper security – to the point where some surveys seem to indicate that as much as 20% of employees in some organizations and areas of the world would actually sell their credentials for as little as $150. Personally, I tend to be a bit dubious of such surveys and their outcomes, but it still goes without saying that many end-users simply see security as a big hassle and problem. Ironically, it also appears that the harder that IT manages to try an ‘push’ increased security in many organizations, the more end-users find ways to circumvent additional policies and restrictions. Or, as one of my bosses once said best: “I keep trying to make a more idiot-proof solution, but all I keep doing is making better and better idiots.”
And that’s just typical, run of the mill, end-users – the folks who simply don’t “get” the importance of security – as opposed to disgruntled or dishonest employees seeking to subvert internal security for their own benefit or agendas. Situations where rogue employees run amok are typically very ugly.
Take this data-breach at AT&T in Vermont about a year ago. I’m assuming the person who stole this data ended up doing some time in prison – though, the article in question doesn’t mention this at all. What is clear, though, is that the damage done to AT&T was very real and already done – whether this person went to jail or not.
And, I bring all of this up because, typically, when I’m meeting with consulting clients to review security and assess the potential for threats, it’s very common for clients to focus solely on things like SQL Injection, external threats, patching details, and a host of external concerns – while completely overlooking the insider angle altogether. So don’t forget the potential for insider threats when doing your own, regular, security assessments.