Should cyber security be an employee KPI?

Australian enterprises need to be more aware of the threats posed by trusted insiders, according to former US Central Intelligence Agency chief technology officer Bob Flores.

Bob Flores.

Flores made the comments during a keynote speech at the Connect Expo in Melbourne, where he also argued companies should include security awareness as performance criteria for staff. 

"Trusted insiders are probably the biggest problem you're going to run into. [Being a trusted insider] doesn't mean you can't be doing bad things – you can be doing bad things without even knowing you're doing bad things," Flores said. 

"When we're talking about an insider threat, we're often not talking about people who have a nefarious reason for doing what it is they're doing. Most insider threats come from people doing things inadvertently." 

The risk to businesses of poor security practices among staff can be reduced by creating a culture of security and making sure all staff understand part of their role is managing risks, he said.

"I'd submit that 80 percent of companies I've dealt with don't take that attitude. You ask them who's in charge of cybersecurity and they say 'it's that person over there' and that's the wrong answer," Flores said. 

"Everyone in the company should have, as part of their performance evaluation, how they treat security. 

"Employees have to be educated about security, and they have to be educated again and again and again. You can't do it once as they come into the organisation, they have to learn about it until they retire." 

Another aspect of the insider threat is disgruntled former employees, according to Flores, which can be mitigated in some cases through business cooperation. 

"They might be someone who works for ANZ, and then gets a job for Commonwealth instead and says 'I'm going to take some data with me when I go because it will make my life easier there'," he said.

"A very celebrated case happened in the US where... [someone] took some secrets out of Coca-Cola, went to PepsiCo, and said 'I'd really like a job here, and to show you what a great person I am, I'm going to offer you data from Coke. 

"What Pepsi did is they phoned up Coke and said 'did you know'. That woman is now in jail." 

Network segmentation and using different encryption methodologies are another means of controlling insider threats, Flores said. 

"You have to segment your networks. If your networks are too flat, it's the equivalent of a house with a  lock on the front door on it, but if you break that lock, the jewellery... [or] guns are lying all over the place instead of being in their own safe," he said. 

"You need to encrypt your data. But you need to do it in such a way that you treat some data as different to others. 

"If you send someone an email saying 'let's meet for lunch', no-one cares. But if you send an email saying 'I want to buy your company for $1 billion', lots of people will care about that, because that's market changing information."

The San Bernardino iPhone 

Flores also weighed in on the debate about whether Apple should have provided the US Federal Bureau of Investigation assistance with unlocking an iPhone belonging to one of the San Bernardino shooters. 

"A lot of people say [the FBI] wanted to break the encryption. That's not what they wanted to have done," Flores said. 

"For those of you who have an iPhone, you will know that If you have a passcode on it, you get 10 tries to unlock it, and then that data's gone – it's erased. It may still be in the cloud, but your phone is a brick. 

"So what the FBI [said] is that they wanted to have an infinite number of tries, because if we do then we're confident we can get in and the phone decrypts itself." 

Flores argued companies such as Apple had an obligation to help government agencies "keep up" with encryption technology. 

"You have to understand that it's incredibly difficult for the white hat hackers – the good guys – to keep up with technology," Flores said. 

"So as Apple changes their encryption schemes and doesn't release them, there's no law that says they have to give that to the government, and that makes life difficult for the FBI."

Andrew Sadauskas attended the Connect Expo as a guest of Intel.