The people on the inside of our organizations are sometimes the biggest risk. Insiders who leak data, sell data or sabotage operations are hard to stop because they have legitimate access to the assets we are trying to protect. How can we handle this then?
- If employees fee untrusted and under surveillance, loyalty will drop. This can have a big impact on creativity and work performance.
- If you lock down computers and systems so much that getting the actual job done gets hard, people will use other ways to do their jobs – often referred to shadow IT. “No way to share files with external parties? Well, I’ll just use Google Docs from my phone. “
Are insiders all the same?
People do not all have the same motiviations, nor do people who act against the interests of their employers. There are many ways we can categorize insider threats, but the two main categories are:
- Unintentional insider threats: people who perform actions that weaken or threaten security but not because they have any malicious intent. This can be mistakes, lack of understanding, or that they are being tricked into doing things they do not understand. Most incidents have a component of “unintentional insiders”.
- Intentional or malicious insider threats: these are people who perform harmful actions, while understanding what they are doing. They may have different motivations for doing so.
Malicious insiders typically are motivated by one or more of the following driving forces:
- Anger/resentment against employer
- For achieving benefits for one self
- Strong motivation for external cause (political, religious, etc)
- Bribes from external parties
- Social manipulation by an external party
- Threats from external parties
How can we then look at the risk of insider threats? We should consider this as a combination of “actions with consequences” and the “likelihood or credibility of this occurring”. Reducing the risk from insider threats will then typically be activities in one of the following categories:
- Unintentional insider threats are most effectively managed by ensuring the stress level is not too high, and that people receive training and competence in using technology, as well as understanding cyber threats such as social engineering.
- Building motivation and loyalty. If employees are happy at work, happy in their personal lives and work for an organization where the organizational values align with their personal values, performing actions that hurt the organizaiton will not feel right. This aligns closely with category 1 about unintentional insiders.
- Training managers on detecting social indicators, such as human vulnerabilities. This can be financial problems, depression, or just expressed resentment against the company. Acting on clues like this, is an important part of managing insider threats.
- Making common insider actions detectable using technology. Finding the right balance is right – but the organization needs logs and visibility of the use of its IT systems to detect malicious use of its resources.
For an organization first starting to think about insider threats, the action types above are mentioned in prioritized sequence. Building a great working environment is the best antidote to high risk of insder threats.
Recommended insider program structure
You need to work on reducing insider threat risks if you have assets to protect – this is one of the largest contributors to data breaches.
A practical step you can take to ensure people have the right competence and thereby greatly reducing the unintentional insider threat, is provide time to learn, and make personal development a core part of working in the organization. This builds loyalty and competence.
Further, clarifying the values of the organization, and why you are doing the work you are, makes it easier for people to understand if this is an organization they want to be part of. Taking this into account from hiring to the way we do our everyday business, reduces the likelihood of having a large number of disengaged or disgruntled employees. Be a company people want to work for!
Security awareness training: this helps on multiple levels. First, it is important to let people understand how their actions can lead to security breaches, and what actions will improve security. Beyong that, if the organization understands how the threat landscape and the internal habits and ways of doing business both contribute to the overall risk level, the organization can draw great benefits from security awareness training. This is why Cybehave’s training is adapted to both the type of organization you are, and also to the always changing threat landscape.
You also need technical measures for good IT security, both for reducing the ability of insiders to do damage, and to detect and prove that it has happened after the fact. Key practices that have impact on insider threats are:
- Asset management: know what you have and that is important to protect
- Access control: least privilege access control ensures people cannot access things they do not have a business need to access. This reduces the possibility of a full compromise.
- Keeping systems patched and with appropriate protection (antivirus, firewalls) is important to avoid compromise by an employee that has been manipulated by an external party
- Logging access to key systems to detect unusual access attempts, especially privileged access, is a core security practice.
There is of course a lot more you can do technically, including the use of “Data Loss Prevention (DLP)” solutions but keep in mind that too much control (aka surveillance) will reduce motivation rather than reinforce it, and can also lead to increased use of unauthorized systems (such as personal Google Docs or Dropbox accounts).
Hinging on technical controls, as well as organizational ones, is detection and incident response. Someone needs to review critical logs and also check regulary who is authorized to access key resources. In addition, people should react to weird behaviors. Managers need to know what increases the risk and what are typical social indicators of a potential insider threat. Keep in mind that detection of insider threats is difficult, and although you may have both technical and social indicators, there may be perfectly valid reasons for this. Handling potential insider threats requires a good plan, and training. Three rules of thumb for the incident response plan are:
- Don’t jump to conclusions. Collect more evidence if you can before doing more (unless it is a crisis situation that needs to be handled immedaiately).
- Talk to the employee with an open mind. Don’t judge before you hear their side of the story. Keep it professional and stick to facts, not to feelings.
- Don’t throw empathy over board. Remember that people put under pressure by external parties can be at personal risk and that they may be reluctant to tell anyone.