Insider threat, one of the greatest drivers of security risks that organizations face
It only takes one malicious insider to cause significant harm. Typically, a malicious insider utilizes their (or other employee’s) credentials to gain access to a given organization’s critical assets. Many organizations are challenged to detect internal nefarious acts, often due to limited access controls and the ability to detect unusual activity once someone is already inside their network.
A significant number of executives fall victim to common misconceptions about insider risk and, therefore, they typically do not believe that their organization’s own workers pose a significant threat. Even those who do, find it challenging to make significant headway, as doing so requires tackling a host of thorny legal and HR issues. As a result, many organizations have underinvested in this area.
Our paper, The Increasing Threat from Inside: A Proactive and Targeted Approach to Managing Insider Threat, helps firms focus on the highest-risk areas and develop an effective and practical insider risk program.
In 2018, of the 5 billion records stolen/compromised, over 2 billion were a result of insider circumstances.Risk Based Security: Data Breach Trends report 2018
Organizations simply cannot afford to ignore the threat any longer. Companies are waking up to the fact that insider threat can pose considerable harm to their operational resilience, financial status, and reputation. Across industries, regulators, government agencies, and industry groups have signaled that organizations need to take insider threat seriously.
75% of companies believe they have appropriate controls to mitigate insider threat—but more than 50% of companies had a confirmed insider attack in the past 12 months.Crowd Research Partners: 2018 Insider Threat Report
Applying data loss prevention technology, monitoring software, or compliance surveillance tools is not enough. Organizations need to scale their diligence and defenses appropriately to their inherent insider risk exposure by integrating technology and organizational disciplines to identify, detect and mitigate risks before they materialize or cause harm.
Leaders in this area:
- Have the right level of senior stakeholder engagement,
- Use a risk-based prioritization of what to monitor and protect, and most importantly,
- Have implemented joined-up procedural arrangements with clear and tested roles and responsibilities to enable the right response when unusual behavior is identified.
Despite the growing consensus that insiders represent a considerable threat with potentially severe consequences, some organizations remain in denial. They fall victim to generally accepted myths that make them believe that “this won’t happen to us” (see Myth Busters below).
1MYTH: A GOOD COMPANY CULTURE IS ENOUGH TO PROTECT AGAINST INSIDERS
TRUTH: A good company culture reduces the likelihood of disgruntled employees. But the motivation of malicious insiders can be driven by a variety of factors unrelated to the company’s culture, e.g., financial gain, ideology, desire for recognition. Over 50 percent of companies confirmed insider attacks in the past 12 months (Crowd Research Partners: 2018 Insider Threat Report).
2INSIDER THREAT COMES FROM CONTRACTORS
Permanent staff are typically with an organization longer and accumulate more access over time, so they represent a bigger threat. 56 percent of companies identified regular employees as the greatest security risk to organizations (Crowd Research Partners: 2018 Insider Threat Report).
3INSIDER RISK IS MITIGATED THROUGH THE GENERAL CONTROL ENVIRONMENT
Controls designed for other purposes may not be as effective against insiders (e.g., requiring people to have valid credentials to enter a building or log in), but they can be leveraged in an effective program.
4MALICIOUS INSIDER ACTIVITY CAN BE SPOTTED RIGHT AWAY
Many organizations have rules-based monitoring that will detect basic insider activity (e.g., an employee emailing large files to her personal email). But few organizations will detect more sophisticated insider activities (e.g., exploiting access they rightfully have, sending confidential information in the body of an email to a seemingly legitimate email address). On average, it takes organizations 72 days to contain an insider incident, with only 16 percent of such incidents contained in less than 30 days (Ponemon Institute 2018 Cost of Insider Threats: Global. Includes accidental insiders, malicious insiders, and credential thieves).
5DATA LOSS PREVENTION (DLP) IS AN EFFECTIVE INSIDER RISK PROGRAM
DLP is a component of, but not the same as, an insider risk program. DLP can help prevent exfiltration of data by an insider. But it provides little protection against other malicious acts (e.g., destruction of assets, fraud).
6INSIDER THREAT IS ONLY AN ISSUE FOR STRATEGIC INDUSTRIES
Many of the highest-profile events have been in “strategic industries” with leading-edge innovation or R&D, national defense capabilities, or highly valuable data (e.g., medical records). However, companies in all industries (Ponemon Institute 2018 Cost of Insider Threats: Global. Includes accidental insiders, malicious insiders, and credential thieves) and all sorts of government bodies have had material events caused by an insider.
7RECRUITING HAS A GOOD PROCESS TO FILTER OUT POTENTIALLY MALICIOUS EMPLOYEES
People do not need to have malicious intentions from the start. Changes in personal or economic circumstances may create incentives for malicious activity over time.
Taking a practical approach to insider risk
Start Small and Focused
Implementing an effective insider risk program requires a design tailored to the specific culture, processes, and risks of the organization. It’s important to start small and focus on a clearly defined high-risk employee sub-group to work through the organizational issues that need to be solved. Our paper describes a practical approach to designing and implementing a successful insider risk program.
With insider threat only increasing in prominence, organizations simply cannot afford to ignore the threat. Getting it right will deliver clear benefits, but delays could be costly. Take a proactive approach to managing insider risk – start small, but start now.