Cyber Tactics / Cyber Security News

How to Reduce the Insider Cyber Threat

To best protect your company against internal abuse, it is helpful to understand the nature of the threat and to consider applying risk-based approaches to address the problem.

January 6, 2014

Let’s start with the good news. Malicious insider activity is relatively rare. Unfortunately, even though outsiders account for 85 percent of cybersecurity incidents, the damage often is substantially greater when an insider strikes. In order to best protect your company against internal abuse, it is helpful to understand the nature of the threat and to consider applying risk-based approaches to address the problem.

 

Nature of the Threat

Insiders have a unique opportunity to cause harm because a corporation’s internal security measures typically are easier to bypass than externally focused perimeter defenses. By operating from within a company’s offices and networks, insiders not only have enhanced access to their target, they also have the ability to observe technical gaps and lapses in policy enforcement, and to discover where the crown jewels are located. Insider risk also includes well-intentioned employees whose conduct unwittingly causes or contributes to a security incident.

 

Insider Threat by the Numbers

Similar to other criminal activity, the insider threat includes a wide range of actors, motives and techniques. The Software Engineering Institute at Carnegie Mellon reviewed more than 800 insider threat cases, and found that 85 percent of insider threats are employees of the victim organization. Contractors, subcontractors and trusted business partners rounded out the remaining 15 percent. The majority of incidents involve fraud (44 percent of the time) and the theft of intellectual property (16 percent). Nonetheless, a troubling 25 percent of the time, the insider’s goal is to conduct sabotage. Interestingly, most insiders (72 percent) committed their crimes during their normal working hours. However, 28 percent of insider crimes occurred before or after the employee’s normal working hours. Insiders are far more likely to act onsite at the victim location (70 percent of incidents) but, significantly, many act from remote locations (24 percent) or from both onsite and remote locations (6 percent).

 

Be Prepared

Organizations should consider creating an insider cyber threat program, led by a senior manager. This program would ensure that policies, resources and oversight are in place to assess and implement company controls that specifically deter, detect and mitigate the risk from employees, contractors and business partners. In addition to a company’s standard information security practice, insider threat programs should consider incorporating the following:

  • Pre-employment screening requirements, to include when and how to use personnel background checks.
  • Physical property inventories and audits that assign employee responsibility for their desktops, laptops, removable media, security tokens and access cards.
  • Continuous monitoring, logging and automated correlation of endpoint activities in order to: establish a baseline of normal behavior; provide real-time detection and alerts of anomalies; track data exfiltration methods, including the use of encrypted sessions, sending data to online storage providers, sending email with attachments to personal accounts, high-volume printer activity, and the use of removable media; implement rule-based mitigation responses; perform real-time damage assessments; and enable forensic analysis for use in disciplinary or criminal proceedings.
  • Enhanced auditing of higher-risk users, to include employees who: previously violated IT security policies or encouraged others to do so; express long-term job dissatisfaction; seek sensitive business information not required for their job; are placed on a performance improvement plan or who are pending termination; and are more likely to be targeted through social engineering.
  • Enhanced access controls and auditing of privileged users, to include a requirement that at least two individuals be present to complete certain high-risk tasks.
  • The ability to aggregate and correlate network logs, facility access logs and personnel records of higher-risk users to identify known or suspected misconduct.
  • Initiatives that promote the resolution of employee grievances and protect whistleblowers.
  • Employee awareness, training and testing specific to identifying and reporting insider threat indicators.

 

Be Inclusive

A successful insider threat program must include active participation from a company’s physical security, personnel security, information technology, human resources and procurement/sourcing staff. To be lawful, especially as it relates to the privacy and civil liberties implications of background checks, electronic monitoring and the sharing of sensitive personnel data, the program requires strong support from your legal department. Finally, as is the case with all risk management initiatives, the first step is for senior leadership to prioritize what data and systems require the greatest protection. After corporate priorities are established, applying proper controls becomes both manageable and worthwhile. 

 

About the Columnist:

 Steven Chabinsky is General Counsel and Chief Risk Officer for cybersecurity technology innovator CrowdStrike, which provides incident response services, cyber intelligence feeds, and a next generation, big data platform for continuous threat detection, attribution, and prevention. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13