As attacks on corporate networks become more common, companies are getting more adept at protecting their most valuable assets against cyber-threats outside the company. But it’s the insider threats that continue to elude many.
Not all insider threats are malicious or intentional, so it is paramount that companies differentiate between the two. An internal employee who unknowingly grants unauthorized access to a user who has malicious intent—as opposed to an employee with access to sensitive corporate information trying to snitch it from the company—demand different response tactics.
“One common misconception about building an insider-threat program is that it’s implying distrust of everyone in the organization,” says Randy Trzeciak, senior member of the technical staff for the Software Engineering Institute’s CERT Program. “There is a clear difference between insiders who are granted authorized access to certain assets and the threats they could pose to those critical assets.”
Another common misconception among companies is that insider threats can be mitigated merely by implementing tools or technology that can identify anomalous activity or behavior. “That’s a static solution to a dynamic problem,” says Keith Lowry, senior vice president of business threat intelligence and analysis at Nuix, an information management technology firm. “The first thing they have to do is recognize that this is a risk management problem, not merely an IT problem.”
One of the most important measures toward establishing a robust insider threat program is to have clear practices and policies from the beginning, supported by advocacy from the C-suite. Those practices and policies should describe, for example, what the program is, the scope of the program, who is responsible for the program, and how to communicate the program.
Policies and procedures are irrelevant, however, if individuals are unfamiliar with them, so improving processes and awareness through training and education is also essential. Companies may want to consider chanting the same “if you see something, say something” mantra that the Transportation Security Administration uses in airports, Trzeciak says.
“One common misconception about building an insider-threat program is that it’s implying distrust of everyone in the organization.”
Randy Trzeiak, Senior Member, Software Engineering Institute CERT Program
Another major source of headaches: Employees who continue to be fooled into giving valuable corporate insider information to malicious actors through phishing scams or by being tricked into replying to e-mails that look like they are from legitimate sources, but really are not. This is a persistent security issue, and the companies that will be the most effective in addressing it will be those that give straightforward, simple instruction, says Ari Kaplan, principal of Ari Kaplan Advisors, a legal analyst firm.
A basic prevention, for example, would be to instruct staff members not to open any e-mail that looks unfamiliar or suspect and to forward it instead to their IT team. However, actually getting people to act on that can be easier said than done, so testing can help test whether or not the education is working. Kaplan says, the IT department will conduct simulated threats posing as a phishing scammer to see what actions employees will take.
According to a report Kaplan authored, 39 percent of 28 information security officers interviewed cited “fear” as the most effective messaging strategy when educating employees about insider-threats. As one security officer at a life-sciences company put it, “best practices work best at higher levels of the organization, but fear is more effective with lower-level staff.”
The overall consensus was that mandatory training, praise for positive actions, and relevant examples from personal and professional perspectives are the most effective techniques for overcoming inadvertent employee errors, according to the report.
INSIDER THREAT PROGRAMS ON THE RISE
Below, in the Nuix Defending Data Survey, respondents answered questions about their insider-trading programs.
Given this shift, it was not surprising that 71% of respondents reported having an insider-threat program or policy. Of those, 90% had designated a senior official to provide oversight and 70% offered employee training in this area.
“The company employs intelligence teams that study different aspects of communications, user activity, social media, suspicious activity, and other details,” said one bank director.
“We just received the authority to reinvent the company’s insider-threat program; what was a program on paper only is now being funded and propelled forward companywide,” added an insurance executive.
Definitions of “Insider Threat” Vary
When asked to define the term “insider threat,” there was a clear theme among the responses, featuring the words “malicious,” “internal,” “authorized,” and “inappropriate.”
One financial institution CISO noted: “All threats are insider threats; once a hacker enters the company’s environment, it becomes an insider threat.”
“Not all insider threats are mischievous,” countered another financial institution CISO.
Those nuances characterized many of the other explanations, which varied to include the following simple and complex descriptions:
A malicious actor who is an internal employee.
People with access to data trying to sneak it out the door.
An internal employee who knowingly or unknowingly grants unauthorized access to someone.
An outside entity trying to get in by taking advantage through social engineering or a relationship to access internal data.
Any user activity that falls outside of the organization’s policy.
A person who is affiliated with the organization and through negligence or malice puts the organization at risk.
The usage of inside systems by authorized and unauthorized individuals in a seemingly nefarious way.
Someone with knowledge of the system who uses that knowledge to create or exploit a weakness.
One insurance executive explained that individuals interpreted “insider threats” according to their roles in the organization.
“If you speak with individuals in physical security, it could be a disgruntled employee with a weapon,” he said. “For those in finance, it could be an employee with high-level credentials secretly moving money or accessing intellectual property to endanger the company’s competitive landscape.”
Insider Threat Programs on the Rise Tracking Insiders Remains Elusive
“The overwhelming focus of discussions around cyber-security relate to protecting money and valuable information,” said Kent. “These are the primary targets for cyber-crime and cyber-espionage activities; private data and financial information are easily monetized on the black market and often very poorly protected.”Given this sensitivity, almost all respondents (93%) reported being able to identify their critical value data and 100% said they were capable of detecting who retrieved that data.
“All organizations have roles allocated to users of particular data so they can monitor who is accessing it at any time,” said a financial services vice president.
Those numbers fall materially to 69%, however, when asking about whether their organizations know what people do with the critical value data after they access it.
“That is the hard part,” admitted an IT leader in the energy sector. “The company only knows when data is leaving its network; it is the inside looking out toward the perimeter as information leaves, rather than being maintained within the company’s environment,” explained an information security manager in finance.
Furthermore, if an employee or supervisor identifies anomalous activity or behavior, they should have the ability to confidentially or anonymously report the issue to an appropriate stakeholder—ideally, a senior-level executive with the authority to investigate the potential insider threat. Such suspicious activity may involve an employee who is downloading information at a higher volume than other employees, for example.
Security experts further recommend that various departments—such as IT, HR, security, legal, and compliance—be involved in the insider-threat program, which makes for a much more powerful layer of defense. “You’re starting to see a much deeper integration between those groups,” Kaplan says. “That integration is increasing the level of protection at a lot of organizations.”
Another important measure toward mitigating insider threats is to identify what data merits protection, and from whom. Who has authorized access to those critical assets? In what ways could individuals compromise those assets? “Different threats to different assets require different protection and detection strategies,” says Trzeciak.
Tracking insider activity seems to pose the most difficulty for companies. According to the report, most respondents said they are able to identify their critical value data and were capable of detecting who retrieved that data. Those numbers fell to 69 percent, however, when asked about whether their companies know what people did with that data once they had access.
One solution may be to allocate roles to users of particular data so that the company can monitor who is accessing it at any time, as one financial services vice president suggested in the report.
Cloud usage and BYOD (bring your own device) policies further increase the risk of insider threats by blurring the line between personal and professional use, and by introducing devices into the workplace that effectively sidestep all official security procedures. For example, if an employee takes a picture of data on their personal smartphone, the employer has no way of knowing. “That’s a big challenge organizations are facing, that because it’s so much easier now to capture an image of a document on a screen that doesn’t necessarily connect back to any sort of monitoring system,” says Kaplan.
“If I’m accessing information in the cloud, I have to be mindful of where I’m accessing it and how those protections change depending on where I access information,” adds Kaplan. Those are some of the issues that are influencing the way in which companies are evaluating the actions they are taking today, he says.
Testing Insider Threats
In terms of testing their incident response programs to ensure compliance with current policies and practices, 18 percent of respondents to the report said they conduct annual audits to audit against the policy. In general, most respondents said their companies are testing on a more frequent basis; 68 percent reported engagement in this process multiple times per year, 21 percent tested twice annually, and 32 percent did so at least quarterly.
Certain high-risk events can make a company particularly vulnerable to an insider threat and deserve careful monitoring. For example, based on actual cases CERT has analyzed, employees in a majority of cases stole intellectual property from the company within 30 days of giving their notice, says Trzeciak.
As for as responding to threats, nearly all respondents (96 percent) said they had
an incident response readiness policy. Furthermore, the majority (85 percent) said their incident response team included legal counsel, public relations leaders, and crisis managers, among others in finance and accounting, information technology, compliance, regulatory affairs, risk management, law enforcement, privacy, cyber-insurance, and physical security.
If an organization does detect certain activities, at what point do you escalate the issue to an investigation or involve law enforcement? At what point do you take legal action? Companies should be prepared to have answers to those questions, says Trzeciak.
Many respondents to the report said that managing internal threats has received greater investment in the past year. According to the report, 21 percent attributed some of their security team’s spending increases to additional protections against internal hazards, and 14 percent of survey participants reported allotting 40 percent or more of their budget to insider threats.
However companies seek to protect themselves, Lowry says he expects that shifting of resources to occur even more in 2016, now that the issue of information security has taken center stage within most companies, and is now as important as profitability and overall good corporate governance.