Regardless of your industry, the size of your organization, or the type of business you have, insider threat is a menacing reality. In most organizations, this threat has been undervalued, underestimated and underfunded. It's the elephant in the room that no one wants to talk about because it means acknowledging that one of your own employees might take you for a ride. And, it requires taking several challenging and, to some, uncomfortable steps to combat.
We are seeing the tide turning on this issue. As we travel the country speaking with CISO's, we're hearing more and more that insider threat is becoming a top concern. A majority of organizations now acknowledge that they are vulnerable to an attack from an insider. A recent study by the Ponemon Institute found that 88 percent of those surveyed believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. At least we've moved passed the denial phase. Yet, the bigger problem is that almost everyone with whom we discuss this issue has no idea how to address it.
You need a strong strategy in place to help protect and deter a malicious insider from removing your organization's most prized assets and information. Also, by implementing a robust strategy that includes controls, technologies and processes, you will protect against more than just the primary target. This strategy will double as a defense against other highly skilled external threats, who ultimately become insiders if they're able to penetrate the physical and/or virtual perimeter of your organization and access your corporate network. So, if you haven't realized it by now, it's time to consider turning you security strategy inside out.
Here are five issues you should think about when developing or revisiting your insider threat strategy:
1. It's a balancing act -- Organizations' security strategy plans significantly lack implemented technologies and process as well as workforce education when comparing inherent risk to dedicated budget. According to the 2013 Ponemon study, 43 percent of organizations do not allocate budget specifically for investments in technology to reduce the insider threat. This is likely the case because they don't take into consideration the financial damage an insider might cause. Fifty-six percent of electronic crimes are assumed or verified to be the work of an insider, and the average cost per insider incident is $412,000, according to a recent report by the INSA. And that's just one incident. Imagine how quickly that can add up.
2. It's in your blind spot -- Because most insider activity is never identified, many organizations do not see it as high priority. Yet, an insider carrying out a malicious plan can leave with clean hands and bags full of an organization's asset. Even when caught, CERT reports that 82 percent of the time remediation is handled internally with no legal action. This is likely to avoid unwanted public scrutiny or other potential fall out for the organization due to the incident. Internal action continues to lead to the culture of "it won't happen to me," as the issue is not broadcast in the spotlight. Just because you cannot see it or haven't experienced it yet doesn't mean it isn't there. Most likely, the threat is acting right in your blind spot.
3. It's a people problem -- Too many organizations have the misconception that insider threat is strictly a cyber security or technical matter. But FBI analysts stressed at the 2013 RSA Conference that this issue is a people-centric problem and must be handled with a people-focused solution, including a multidimensional and multidisciplinary approach. When it comes to improving processes, organizations are focusing on education to help employees understand policy and the importance of protecting information. Processes should be implemented and well defined and include strict on-board and off-boarding processes. Inventory of all organizational assets should be regularly updated and maintained, and established passwords and account policies and procedures should be defined, broadcasted and enforced. Additional monitoring and technical controls around high-valued and privileged users should be deployed.
4. It's an ongoing battle -- While people and process are the dominate elements, technology is a significant part of the protection against insider threat. New technologies are emerging to help identify and deter the problem. The best high-performing security organizations use advanced analytics to catch this kind of behavior on a regular basis by understanding the normal conduct of each peer group and the risks associated with them. These systems can monitor thousands of potential risks in real-time and offer insight into risky behavior that can lead to data exfiltration. Other technologies exist to help with education or deterrence. Should behavior start down a potentially dark path, organizations can report these activities back to the employee to remind them that they are being monitored. And remember, you must educate and re-educate regularly as well as continuously monitor your employees to ensure you maintain the highest possible level of protection on an ongoing basis.
5. It's a trust issue -- Some information security leaders' fear being seen as the "Big Brother" or the bad guy. They are uncomfortable monitoring their employees, or they see their employees as trusted agents and want to view them in such a light. New technologies exist to help monitor employee behavior in a nonintrusive and effective way. Additionally, privacy laws pose some barriers to employers trying to implement a program. However, with full disclosure of the initiative, employers in most cases are protected. This disclosure also acts as a deterrent to bad behavior, killing two birds with one stone.
As you're developing your insider threat strategy, consider the benefit to your organization and the protections that this strategy will provide. It will defend against more than its definition. Take the 2012 South Carolina data breach, for example. A reported 3.6 million tax payers' social security numbers were compromised and 387,000 credit and debit card numbers were exposed. This was the work of an external actor, a phishing attack to be specific. The individual was able to enter into the organization's systems, appear to be a trusted insider, and reap the benefits.
In the situation above with the implementation of the proper controls and technologies, specifically, the use of behavioral and advanced analytics, patterns and connections, could have identified the unusual behavior on the system. Once identified, incident response is vital. The launch of a forensic investigation will lead to the identification of the source. Regardless of whether the culprit was an insider or the mirage of one, a robust insider controls identified a problem, and therefore, could have saved the organization from the incident.
The time has come to revisit the security strategy surrounding insider threat. According to the Intelligence and National Security Alliance, "a robust insider threat program integrates and analyzes technical and nontechnical indicators to provide a holistic view of an organizations insider threat risk from individuals identified as potential threat." We have the responsibility to protect our organizations and their most prized resources. Just as other security initiatives are vital to defending your assets and information, security leaders are called to acknowledge this problem under their jurisdiction and implement the required resources, personnel and technologies to moderate the risk of an insider attack. The implementation of a strong insider threat security program will support the overall security of your organization.
So, start turning that security strategy inside out.
Jason Clark and James Robinson are the Chief Security and Strategy Officer and Director of Information Security at Accuvant
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.