The best IT security is not enough to protect against the determined insider
The most important lesson American businesses can learn from the Montes case is that IT security measures will not be enough to prevent the determined insider and a sophisticated intelligence service or competitor from stealing corporate secrets. Montes never removed documents from DIA. She never copied documents to a thumbdrive or CD, never sent them out by e-mail, or downloaded malicious software to open DIA systems to electronic exfiltration. Instead, she relied solely on her required access and memory to steal classified information and give it to the Cubans.
The recurring media coverage of cyber attacks on the U.S. public and private sectors have undoubtedly advanced the rapid growth of IT security industry solutions for predicting, preventing, and responding to cyber threats. Reliable IT systems and infrastructure are crucial to the successful management, stability, and growth of most American companies.
A major data compromise can be damaging to profits, prestige, and strategy, not to mention disastrous to a company’s competitive edge and downright embarrassing. Add the risk of a potential Snowden insider to the threat of a cyber attack, and American businesses can hardly be blamed for perceiving computer vulnerabilities to be the biggest risk to company security and in turn focusing their risk management efforts and spending on IT security.
As companies shop for expensive IT security software packages, hire information assurance specialists, or enter into contracts with IT security firms to provide up-to-date cyber threat intelligence, they should not overlook the threats posed to company data from traditional espionage tradecraft.
Not even the most robust computer security measures or the latest behavioral analytic/machine learning algorithms can defeat the insider who does not rely on a computer or the exploitation of to steal company information.
Ana Montes did much harm spying for Cuba. Chances are, you haven’t heard of her. (Washington Post, 18 Apr 2013)
The most dangerous U.S. spy you’ve never heard of (CNN, 11 July 2016)